Differences

This shows you the differences between two versions of the page.

--- blug-canary-2 [2019/07/23 06:12]
persmule
+++ blug-canary-2 [2020/02/21 02:10]
persmule
@@ Line 8: / Line 8: @@
 ====================================
-Issued for July 2019.
+Issued for February 2020.
 Don't just trust the contents of this file blindly! Verify the
@@ Line 16: / Line 16: @@
 ~~~~~~~~~~~~~
-* biergaizi: 0xFAD3EB05E88E8D6D
+* biergaizi: 0x255211B2395A5A3E0E48A0F1FAD3EB05E88E8D6D
-* persmule : 0x2987A25DAC8454A5
+* persmule : 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60
-* vimacs   : 0xEA2DB82FE04A9403
+* wnereiz  : 0x0A6A91990AC98712274AA18DFDFF2E13AA25BE72
 THREE DOCUMENTS IN TOTAL.
@@ Line 55: / Line 55: @@
 . Our personal safety and security is not threatened.
-. To avoid security breaches and emphasize the clarity of the warrent canary
+. To avoid security breaches and emphasize the clarity of the warrant canary
 documents, if a signer is temporarily unavailable, only existing signers in the
 "Signer" list SHALL sign a special placeholder notice (this notice itself SHOULD
 NOT be considered a valid canary document) until the signer becomes available
-again and sign the missed documents. A new signer SHOULD NOT sign a warrent
+again and signs the missed documents. A new signer SHOULD NOT sign a warrant
 canary document only due to the temporary unavailability of a existing signer.
 . We plan to publish the next of these canary statements in the first three
-weeks of August 2019. Special note should be taken if no new canary is published
+weeks of March 2020. Special note should be taken if no new canary is published
 by that time or if the list of statements changes without plausible explanation.
@@ Line 69: / Line 69: @@
 ~~~~~~~~~~~~~~~~~~~~~~~~
-. Due to personal reasons, wnereiz (0xFDFF2E13AA25BE72) was not available and
+. Since mid-October, persmule's old signing key 0x2987A25DAC8454A5 has
-couldn't sign the warrent canary before the end of June 2019.
+expired. A new key, 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60, has been
+created and uploaded to https://keys.openpgp.org/, it can be obtained from
+this keyserver.
-. We determined that this was not a result of any incident. All statements of
+. The new key will be used by persmule to sign future warrant canary
-the warrent canary documents are still valid. Furthermore, wnereiz will continue
+documents. You can verify the signature by crosschecking the other two
-to sign the canary documents in the future.
+documents signed by biergaizi and wnereiz for consistency.
-. We determined that the decision of asking vimacs (0xEA2DB82FE04A9403) to
+. Due to this key rollover, the October message was not signed by persmule.
-replace wnereiz and sign a substitution of the canary document was flawed. This
+This did/does not indicate a security incident, all of the statements above
-decision is thus revoked.
+were valid, and are still valid.
-. To avoid future incidents, we have amended the procedure on signing warrant
+. Recent attacks on OpenPGP keyservers have raised great security concerns
-canary documents, and added a new Statement to prevent similar issues.
+within the community, as a countermeasure, persmule's personal User-ID has
+not published to the https://keys.openpgp.org/ keyserver. Instead, only
+cryptographic information can be obtained from the keyserver, without any
+User-ID. Currently, it's impossible to import a OpenPGP public key without
+User-ID to a standard GnuPG installation, as a result, it's not possible
+for a 3rd-party to verify the canary document signed by persmule.
-. The previous warrent canary documents issued for July 2019 are revoked. Only
+. We are looking for a solution. But for now, we decided that the best
-this version is valid.
+option is starting publishing new canary documents using the new key.
+As a temporary measure, you can check the canary documents signed by
+biergaizi and wnereiz to decide the validity of the Statements. By signing
+their own copies, it indicates that the new key has been verified privately
+by them as valid.
+. This effectively reduced the number of signers to two people. It reduces
+the level of confidence, but currently there is no alternative option yet.
+. Once the technical problem of OpenPGP public key without User-ID is
+resolved, you can check the previous signatures retroactively, and this
+would effectively restore the level of confidence. You can archive
+persmule's signature as soon as it's published to your own machine to
+ensure no data tampering has occured.
+. Unlike persmule, biergaizi and wnereiz's signing keys are unchanged,
+but the Key-IDs have been changed to its full fingerprint format in the
+canary document for clarity.
+. When new information is available, it will be published in the "Special
+Announcements" section in future warrant canary documents.
 Proof of Freshness
@@ Line 90: / Line 117: @@
 $ rsstail -1 -n5 -N -u https://www.telegraph.co.uk/news/rss.xml
- Pictures of the Day: 23 July 2019
+ US intelligence chief replaced 'after clash with Donald Trump over Russian bid to boost re-election'
- Kim Jong-un inspects new submarine as North Korea sends message to US
+ Windrush draft report that called Home Office institutionally racist 'was watered down'
- Axed Springwatch presenter Martin Hughes-Games: white, middle-aged men an endangered species on TV
+ Grace Millane killer sentenced to life in prison in New Zealand for murder of British backpacker
- 'Milkshake' tax proposals included in green paper despite Boris Johnson's opposition to 'nanny state' policies
+ Regent's Park mosque stabbing: man in his 70s attacked during prayers
- UK heatwave:Britain could experience hottest night on record, as NHS advises people to keep windows shut
+ Thursday evening news briefing: Stabbing in London mosque
 $ rsstail -1 -n5 -N -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
- Mob Attack at Hong Kong Train Station Heightens Seething Tensions in City
+ Coronavirus Live Updates: Clusters in Japan May Hint at How Virus Spreads
- Even as Tensions With Iran Rise Over Seized Ship, U.K. Stays Committed to Nuclear Deal
+ Far-Right Shooting Shatters an Already Fragile Sense of Security in Germany
- India Launches Chandrayaan-2 Moon Mission on Second Try
+ A Police State With an Islamist Twist: Inside Hifters Libya
- With Guns, Cash and Terrorism, Gulf States Vie for Power in Somalia
+ U.S. and Allies Blame Russia for Cyberattack on Republic of Georgia
- Venezuela Blackout Leaves Caracas, and Much of the Country, Without Power
+ Suspect Arrested in Stabbing at London Mosque
 $ date -R -u
-Tue, 23 Jul 2019 06:08:01 +0000
+Fri, 21 Feb 2020 02:01:48 +0000
 -----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEEfpRElbj/BG3RcF+YQmooAO3Wsm0FAl02pI8ACgkQQmooAO3W
+iQEzBAEBCgAdFiEEwonfPqgFyacM7J3iwYAPuUJ74CEFAl5POx0ACgkQwYAPuUJ7
-sm1VVA/7B8s0FZASvwyjX63b0JgALRa8vxlB2WPO1buV1DaBGlqg5uk4zBlH+p9Y
+CFEBAgAzvltWGMHElouFtnWIfb5EU0LL9Zlfhg2V8KZ/fe+bL6mKw1H9gxwTo08
-uhd7Jv9HDa8P/MwIDXaAj6K/D2chXBHmApBpS9ndQmKVG3SwOqVjrFm5EhYs1Hc7
+oi+GBRYQz8l4AVU1YTDO2aZNUYATIxsiBhFAEpGe1xoh3ui/9bZbUAtMZBHfoHK3
-XyftgzgUi73W0ailBwOIVhokHFlCJjIbaKFgDt+sFeAi6q9sUyzJNsKNzrfpypRk
+ff6UnbfbHZOWUyfh03UNllZ3cdVBzQ9c64LrFlPmu2zNaif2/QTvESOpuDfNwRoR
-IiX20B10qEgtTVhKXnsbpOHeHP99afTPkvdmSnlXLHZHZgLCCyI7otTdLFfuNsGY
+CDsOg434SMB5T8mruLDy7NPyqey+03BpkhEMalskn6ra8FQWmct7q2xVfkB5HRhy
-hPlXTlMg692+hiMTxy+N1F7QUO9syvyG4KvAyricPbR3nqnlvrC2GBgFHufiLs2X
+l4SGWGNI8eE9+atyH/wKM46Ytdx0zgBCHQ95yeWa4kwAn6EP9kYMEqMRCSAdHauW
-ZvR8yxixMUeiaJv3o+36ER+wH6VYMS50B334J7AfHqtjLk62k0MVNCue0nGslQxs
+Mp4GAH94izVkxwDQ6R7X9o2WdmZh7w==
-lkdlRizNJ4DyUuDOQoEPy4O9Pw1aCancfR3/7iHikJxZNLrQuACABN3Jw6+2ptFu
+=1OSg
-yCMArMLA3zA029bNbxPmueefN4OJ+9+I61FzWltSI8mkySP35TuxiRtVLEfRKRbJ
-mmVlNtqVXmjmF5H5OVT7mFpHEsUvfskNlhhJlVzg57z7Dcy7MYlqyUowXxGj5BDn
-vv9IcU//les7J3EpJTL8SRwTnsu37+L8PzD8G6kKz+BF1VxORUkps2pFELgUS47b
-c7BuL4qPnf3cxwq9dEbaWd7zBj/FWxJOZlkx5PmcHEJju/k3wt0=
-=Y9gA
 -----END PGP SIGNATURE-----
 </code>

BLUG Wiki

User Tools

Site Tools

Differences

Page Tools