Differences

This shows you the differences between two versions of the page.

--- blug-canary-1 [2019/12/31 10:54]
Tom Li
+++ blug-canary-1 [2024/03/30 20:52] (current)
BLUG Admin
@@ Line 15: / Line 15: @@
 ====================================
-Issued for December 2019.
+Issued for March 2024.
 Don't just trust the contents of this file blindly! Verify the
@@ Line 25: / Line 25: @@
 * biergaizi: 0x255211B2395A5A3E0E48A0F1FAD3EB05E88E8D6D
 * persmule : 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60
-* wnereiz  : 0x0A6A91990AC98712274AA18DFDFF2E13AA25BE72
+* vimacs   : 0x7079B481F04B5D8B65A0ECDEEA2DB82FE04A9403
 THREE DOCUMENTS IN TOTAL.
@@ Line 70: / Line 70: @@
 . We plan to publish the next of these canary statements in the first three
-weeks of January 2020. Special note should be taken if no new canary is published
+weeks of April 2024. Special note should be taken if no new canary is published
 by that time or if the list of statements changes without plausible explanation.
+. Due to the ongoing security issues of OpenPGP keyservers, it makes signature
+verification an issue and somewhat a challenge. For completeness, complete
+procedures for canary verification is included here.
 Special Announcements
 ~~~~~~~~~~~~~~~~~~~~~~~~
-. Since mid-October, persmule's old signing key 0x2987A25DAC8454A5 has
+. We've found a workaround for importing keys on https://keys.openpgp.org
-expired. A new key, 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60, has been
+without User-ID. The instructions for verifying persmule's signatures have
-created and uploaded to https://keys.openpgp.org/, it can be obtained from
+been added.
-this keyserver.
+Canary Verification Procedures
+~~~~~~~~~~~~~~~~~~~~~~~~
+. To verify biergaizi's signature...
+    a. Obtain the public key from any traditional OpenPGP Keyserver, such as
+    https://keyserver.ubuntu.com, and import the public key. The fingerprint
+    is 0x255211B2395A5A3E0E48A0F1FAD3EB05E88E8D6D.
+    b. Use the latest GnuPG in any operating system.
+. To verify persmule's signature...
-. The new key will be used by persmule to sign future warrant canary
+    a. Due to the previous attacks on OpenPGP keyservers, persmule has published
-documents. You can verify the signature by crosschecking the other two
+    the OpenPGP public key to https://keys.openpgp.org without a User-ID. Using
-documents signed by biergaizi and wnereiz for consistency.
+    the standard method, it's impossible to import a OpenPGP public key without
+    User-ID. But since April 2013, we have developed a workaround, described
+    below.
-. Due to this key rollover, the October message was not signed by persmule.
+    b. Obtain the dummy public key from any traditional OpenPGP Keyserver,
-This did/does not indicate a security incident, all of the statements above
+    such as https://keyserver.ubuntu.com, and import the public key. The
-were valid, and are still valid.
+    fingerprint is 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60. Note that, to
+    import this key, one must copy and paste the key in ASCII from the Keyserver
+    website to a file or console and use the command "gpg --import". Due to a
+    technical problem, Using "gpg --recv-key" or "gpg --search-keys" does not
+    work.
-. Recent attacks on OpenPGP keyservers have raised great security concerns
+    c. This is a special dummy public key with its User-IDs and subkeys stripped
-within the community, as a countermeasure, persmule's personal User-ID has
+    that we specifically created, leaving only a "stub" User-ID (with an invalid
-not published to the https://keys.openpgp.org/ keyserver. Instead, only
+    E-mail address, "glahamm <yiam5Od@gliwrad.invalid>"). Its sole purpose is
-cryptographic information can be obtained from the keyserver, without any
+    allowing the subsequent import of additional subkeys.
-User-ID. Currently, it's impossible to import a OpenPGP public key without
-User-ID to a standard GnuPG installation, as a result, it's not possible
-for a 3rd-party to verify the canary document signed by persmule.
-. We are looking for a solution. But for now, we decided that the best
+    d. Next, with the stub key already imported, obtain the public key from
-option is starting publishing new canary documents using the new key.
+    https://keys.openpgp.org using the same fingerprint, and import this key.
-As a temporary measure, you can check the canary documents signed by
+    Because the dummy key with its stub User-ID is already in presence, it's
-biergaizi and wnereiz to decide the validity of the Statements. By signing
+    now possible to import the https://keys.openpgp.org public key directly.
-their own copies, it indicates that the new key has been verified privately
-by them as valid.
-. This effectively reduced the number of signers to two people. It reduces
+    e. Use the latest GnuPG in most operating system, the signatures made by
-the level of confidence, but currently there is no alternative option yet.
+    persmule's key can now be verified as usual. Debian is known to work, most
+    other systems should work just fine, but not Fedora. The subkeys contains
+    signatures made with Brainpool curves, which are disabled on Fedora due to
+    potential patent-licensing problems, causing a "Unknown elliptic curve"
+    error.
-. Once the technical problem of OpenPGP public key without User-ID is
+. To verify vimacs' signature...
-resolved, you can check the previous signatures retroactively, and this
-would effectively restore the level of confidence. You can archive
-persmule's signature as soon as it's published to your own machine to
-ensure no data tampering has occured.
-. Unlike persmule, biergaizi and wnereiz's signing keys are unchanged,
+    a. Obtain the public key from any traditional OpenPGP Keyserver, such as
-but the Key-IDs have been changed to its full fingerprint format in the
+    https://keyserver.ubuntu.com, and import the public key. The fingerprint
-canary document for clarity.
+    is 0x7079B481F04B5D8B65A0ECDEEA2DB82FE04A9403.
-. When new information is available, it will be published in the "Special
+    b. Use the latest GnuPG in any operating system.
-Announcements" section in future warrant canary documents.
 Proof of Freshness
@@ Line 124: / Line 140: @@
 $ rsstail -1 -n5 -N -u https://www.telegraph.co.uk/news/rss.xml
- New Year's Eve 2020 celebrations and fireworks around the world
+ Thursday evening news briefing: Michael Goves no-fault evictions ban thrown into doubt
- US embassy in Baghdad evacuated as protesters denounce US air strikes
+ Wednesday evening news briefing: Landlords could be banned from raising rent under radical SNP crackdown
- Australia Day 2020: Why the British sent convicts Down Under - and how they named the country
+ Tuesday evening news briefing: Biden vows to move heaven and earth to rebuild Baltimore bridge
- The Telegraph's top 25 stories of the year: from the Philip Green accusers to Joaquin Phoenix's big interview walk-out
+ Monday evening news briefing: UK unveils sanctions after MPs targeted by China
- Chinese New Year 2020: Rats, luck and why you should avoid medicine, laundry and crying children
+ Thursday evening news briefing: Waspi scandal compensation branded a betrayal
 $ rsstail -1 -n5 -N -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
- American Airstrikes Rally Iraqis Against U.S.
+ How African Immigrants Have Revived a Remote Corner of Quebec
- Inside Chinas Push to Turn Muslim Minorities Into an Army of Workers
+ A Stork, a Fisherman and Their Unlikely Bond Enchant Turkey
- A Slow-Motion Chernobyl: How Lax Laws Turned a River Into a Disaster
+ Kings College Chapel, 438 Solar Panels and an Architectural Squabble in Cambridge
- Left Behind by Migrant Husbands, Women Break the Rules and Go to Work
+ Troop-Starved Ukrainian Brigades Turn to Marketing to Attract Recruits
- In Indonesia, Outlaw Gold Miners Poison Themselves to Survive
+ Dispute in Israel Over Drafting Ultra-Orthodox Jews Threatens Netanyahu
 $ date -R -u
-Tue, 31 Dec 2019 10:52:37 +0000
+Sat, 30 Mar 2024 20:51:12 +0000
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-iQIzBAEBCgAdFiEEJVIRsjlaWj4OSKDx+tPrBeiOjW0FAl4LKIkACgkQ+tPrBeiO
+iQIzBAEBCgAdFiEEJVIRsjlaWj4OSKDx+tPrBeiOjW0FAmYIe28ACgkQ+tPrBeiO
-jW1d7A/9Gh/qbEAASTx7l+sY848cANrEkPu5OsHFWDQaChpLfrWV0OK0wsfryKjX
+jW1yghAAkUYMlYuGg3ihG1uBw417y2oNvBGvCk4HYtIElrbd2DNL/JV/+/LkQW/Z
-XbDXPMSgz3Bd1j2F7BH4u+Nh28Bfx0UTEmf9Ityiwnm93ReFLHr3U/RUuYVJ9jPM
+rKMBgGtYHk/xGj9lZEmt1te6Mj+w+dS91ykoHAlNCAQ6RdNe9AQLvQd2Up9JlSTr
-xxhaSaoKkQtZkxrTNjxWd1MshypEAeIN74wew/0VlM5S1Bd1lB+gmnmcechztKiL
+obl/GMRBmJQNjaZf+mPWVbogmGq83lcoLK806ObfHPYBqRg+nxNQ85b19YUm2o5T
-YGertw4CKWCE9qYELPpBqCNz07l7J8RH/oGoTghraJ9knyTboIvr80MupwHA8rMG
+JH7EsqEUBpCdrzyv7uYWLNOru2t6IvSXNcjB1Ay5CpwO3Bchu8EIhp433Wd5x/yb
-yB/get/uYEuYiU5AfzvUN+DUuhpbhklipEsDSXhOWAx9hVusBGRGYUpUY2ujvdjj
+xTPKkdC8yuusZCR/zLIUX7cJWYH7VH+chWf1RxAlkNQ5CCd51I741wY7/rYB5ZSU
-pU6ylYz3t4ia1mKj4H4gbELZnFuqympPPLCHMRLblhMv9D0vgaA3bBDWVRc+C
+r4wib3+hnWYIktr4GC7QSeRhxocJcMHuKHWz6SgOQWqQDf8dYRiPGr72xtiZD2w9
-kUvJiN7v4aY+X2KXhrIFMs0wuCH8JABoAY42Zve5Me5tTn6hArH8rpcZ6GCC9pCq
+W13osDpdkZkULD3lKxp/dwpklOlciComr1xGOk0wQoC7QpRlY+2wpUyIfAKxjaM
-FjH2sNT9rR4bdQb9sOadBIQhiJb9GteyTy3buTd6zLj6/0zvNTzyqo+DXZfUTHO1
+oWsUYeIw8nWnxXljk8jNgSJ0XOnB4Po85xtWLk3MpAViy+s/RwwVEyam0CokgVw8
-J1UvtQFTwUnmLw6Ur+mWZDLGKCnPVsTzLKb6BnimCpRlbXQq3bDa69Gieb6JCw8l
+dcUjL3ZZquPGUzhDCD/s/4Hb3HCGABKhd0rpWEsTL8DOaRahwBoGU7s9g07zQZal
-PAlNM48XOJalTGL1yE1Es3Io2VOZS9c00FA57ytvEI52KUCKhHiw4rbWdHsQzOUr
+J7XHj8bGfbwmvBJoFO9jUFt+o2M7g+G00GsqPhQ7eIIKzFcuqMlR41ajWYUUHmD9
-DMzj2MnWTwGexZ5YP7l/lPNXaamJSsMLZOQP27UiPOlt6jWj9TY=
+Jq6fwrZZ+zgyKnjZ75E94uQqd7e54DF8wcpYoV/W1FEBSVBJgco=
-=1OF7
+=5M8V
 -----END PGP SIGNATURE-----
 </code>

BLUG Wiki

User Tools

Site Tools

Differences

Page Tools