-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2017-04-01 10:39, iry wrote: > Hi Radoslaw, thank you very much for your reply! > > Radoslaw Szkodzinski: >> Easy to answer: The proof of freshness is simply to show these >> were not made ahead of time and then released later after a >> compromise to fool everyone. > > Could you please tell me "these were not made ahead of time" by > whom? > > If it is used to prove "these were not made ahead of time" by Qubes > developers, then it is assuming that we do not trust the Qubes > developers who made and signed the warrant. > > 1. But if we do not trust them not signing the warrant in advance, > why can we trust what they said in the warrant? Won't the whole > warrant become meaningless? 2. Besides, if we do not trust them, > we can even assume they are just using a script that can generate, > sign and publish the warrant automatically every certain length of > time. > > If we trust the Qubes developers who made and signed the warrant, > shouldn't the system date included in the signed message blocks be > enough to prove the freshness? > > If it is used to prove "these were not made ahead of time" by an > adversary, then it may make a little bit more sense. > > Thank you very much! I am Looking forward to a further discussion! >
A good question, but it sounds like you're assuming a simplistic, binary model of trust that doesn't accurately reflect trust dynamics in the real world. Just because an assertion *can* be accepted on trust doesn't mean that there's no value in providing proof for it, especially if the proof is easy to produce. Providing proof in one area (especially at consistent intervals over a long period of time) can serve to bolster overall trust. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJY4ExMAAoJENtN07w5UDAwFkkQAKn1ODvRVUqk+5ybTZtXf4k3 3Uz2uUEvOENfxhfJtzYP9qUY8c41VhjDzT33o/ja4q0powzDHTa3XC0SGKF55bhK F5Z9labhS9wPC6JSBLXK4WV4zx/kqPz3A0yaXluqMOviMgFu3oTiceFzd3YCau2h IFJVX1Hu6pCWc2otJOwDgkOCw/pH/Dbmrg7/7sP+AXiwP29QVBgVGC+JIgTYhkgw YV/JkfIYzo7H8JlORPKdxXThjjZLekKLHxIoDJ/kg8EYEjD/qQ9nswosauWddM3h A0lLaQlbjpQI/V9bK+yzKSCy/0coyrcg82LR9oa9npf/poQ1SQVpq25gzO3522uU OVfsm9yPDSw1pmOzzKfUFWVFLgy6OJj4jxwVCPZQoQ0IMhCsfyydn8m0B8LPDfK2 q8lOA9XXFcEU9tqfe2eRzCHjN46M/p+TXO5rPUuAq2N9jZ3WOWQbE8dP4udSzAZC BKkceDEPJfsWPXyUNC3Q7KKV/EgUn0phQFK1xnQL4OwR3dV7/9aJinKQkVJxq/sS rd8oyv0pQXkIHxTBpXCDK0tVgnIpP9XfY6gNf2p5dThKkrF1Eu0G/Z7+DaA+ROjH YNwfjzPcbl42bdwfZfSgQp9MvIbP4NMPCZHvOw7M/QkAvhV3P6t+E6SbSMgihKdY hVBoDIAoA6w+8z6fhUq7 =SlLs -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/3a030500-6082-da61-8607-112730f466c9%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
