intrigeri: > Hi, > > adrelanos wrote (01 Jul 2013 18:03:01 GMT) : >> Goal: > >> - big file downloads >> - at least as secure as TLS >> - at least as simple as a regular download using a browser >> - not using TLS itself (too expensive) for bulk download > >> The problem: [...] > > + verify that the signed file you've downloaded is actually the > version you intended to download, and not an older, also properly > signed one.
I didn't want to make such high requirements. At the moment, problems are worse, most downloads (http) aren't even as safe as TLS. Any tool as safe as TLS and also defeating your + is of course welcome as well. > See tools that take this into account: > - Thandy (already mentioned by Moritz) As far I know, Thandy is unfinished, no longer developed, Tor package centric, derived from TUF, downloader. Therefore not useful for the general use case? > - TUF: > https://www.updateframework.com/ TUF is awesome. They're creating a library, others can use in their applications. But then we're back to the original problem of this thread: how to get this application in the first place and at least as safe as TLS? > - our design for incremental updates: > https://tails.boum.org/todo/incremental_upgrades/ This is awesome as well, but I believe it solves a different problem. This one was: how to initially download? Then you're back to OpenPGP, which very few people use. > Other than this, our current take on it is, I believe, making it > easier to verify OpenPGP detached signatures. E.g. we're working to > make it work flawlessly on the GNOME desktop. So you're working with Debian/upstream to integrate OpenPGP verification better into the operating system? -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
