Differences

This shows you the differences between two versions of the page.

--- blug-canary-2 [2019/08/16 06:34]
persmule
+++ blug-canary-2 [2020/01/18 03:44]
persmule
@@ Line 8: / Line 8: @@
 ====================================
-Issued for August 2019.
+Issued for January 2020.
 Don't just trust the contents of this file blindly! Verify the
@@ Line 16: / Line 16: @@
 ~~~~~~~~~~~~~
-* biergaizi: 0xFAD3EB05E88E8D6D
+* biergaizi: 0x255211B2395A5A3E0E48A0F1FAD3EB05E88E8D6D
-* persmule : 0x2987A25DAC8454A5
+* persmule : 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60
-* wnereiz  : 0xFDFF2E13AA25BE72
+* wnereiz  : 0x0A6A91990AC98712274AA18DFDFF2E13AA25BE72
 THREE DOCUMENTS IN TOTAL.
@@ Line 55: / Line 55: @@
 . Our personal safety and security is not threatened.
-. To avoid security breaches and emphasize the clarity of the warrent canary
+. To avoid security breaches and emphasize the clarity of the warrant canary
 documents, if a signer is temporarily unavailable, only existing signers in the
 "Signer" list SHALL sign a special placeholder notice (this notice itself SHOULD
 NOT be considered a valid canary document) until the signer becomes available
-again and signs the missed documents. A new signer SHOULD NOT sign a warrent
+again and signs the missed documents. A new signer SHOULD NOT sign a warrant
 canary document only due to the temporary unavailability of a existing signer.
 . We plan to publish the next of these canary statements in the first three
-weeks of September 2019. Special note should be taken if no new canary is published
+weeks of February 2020. Special note should be taken if no new canary is published
 by that time or if the list of statements changes without plausible explanation.
@@ Line 69: / Line 69: @@
 ~~~~~~~~~~~~~~~~~~~~~~~~
-. Due to personal reasons, wnereiz (0xFDFF2E13AA25BE72) was not available and
+. Since mid-October, persmule's old signing key 0x2987A25DAC8454A5 has
-couldn't sign the warrent canary before the end of June 2019.
+expired. A new key, 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60, has been
+created and uploaded to https://keys.openpgp.org/, it can be obtained from
+this keyserver.
-. We determined that this was not a result of any incident. All statements of
+. The new key will be used by persmule to sign future warrant canary
-the warrent canary documents are still valid. Furthermore, wnereiz will continue
+documents. You can verify the signature by crosschecking the other two
-to sign the canary documents in the future.
+documents signed by biergaizi and wnereiz for consistency.
-. We determined that the decision of asking vimacs (0xEA2DB82FE04A9403) to
+. Due to this key rollover, the October message was not signed by persmule.
-replace wnereiz and sign a substitution of the canary document was flawed. This
+This did/does not indicate a security incident, all of the statements above
-decision is thus revoked.
+were valid, and are still valid.
-. To avoid future incidents, we have amended the procedure on signing warrant
+. Recent attacks on OpenPGP keyservers have raised great security concerns
-canary documents, and added a new Statement to prevent similar issues.
+within the community, as a countermeasure, persmule's personal User-ID has
+not published to the https://keys.openpgp.org/ keyserver. Instead, only
+cryptographic information can be obtained from the keyserver, without any
+User-ID. Currently, it's impossible to import a OpenPGP public key without
+User-ID to a standard GnuPG installation, as a result, it's not possible
+for a 3rd-party to verify the canary document signed by persmule.
-. The previous warrent canary documents issued for July 2019 are revoked. Only
+. We are looking for a solution. But for now, we decided that the best
-this version is valid.
+option is starting publishing new canary documents using the new key.
+As a temporary measure, you can check the canary documents signed by
+biergaizi and wnereiz to decide the validity of the Statements. By signing
+their own copies, it indicates that the new key has been verified privately
+by them as valid.
+. This effectively reduced the number of signers to two people. It reduces
+the level of confidence, but currently there is no alternative option yet.
+. Once the technical problem of OpenPGP public key without User-ID is
+resolved, you can check the previous signatures retroactively, and this
+would effectively restore the level of confidence. You can archive
+persmule's signature as soon as it's published to your own machine to
+ensure no data tampering has occured.
+. Unlike persmule, biergaizi and wnereiz's signing keys are unchanged,
+but the Key-IDs have been changed to its full fingerprint format in the
+canary document for clarity.
+. When new information is available, it will be published in the "Special
+Announcements" section in future warrant canary documents.
 Proof of Freshness
@@ Line 90: / Line 117: @@
 $ rsstail -1 -n5 -N -u https://www.telegraph.co.uk/news/rss.xml
- Telegraph Audio Briefings: Sign up to our WhatsApp group for essential twice-daily updates
+ Thank you, don't come again: The Simpsons' Apu will no longer be voiced by white actor Hank Azaria after accusations of racism
- Pictures of the Day: 16 August 2019
+ 'Phantom effect' of bobbies on beat cuts crime by a fifth
- Edinburgh Festival Fringe's most successful act? A dead hang challenge
+ Late passenger who phoned in bomb threat to delay his flight is jailed for 16 months
- Donald Trump 'has discussed buying Greenland from Denmark'
+ Rotherham police did not do enough to protect girls from abuse by Asian men, says watchdog
- French 'spiderman' Alain Robert climbs Hong Kong skyscraper to unfurl 'peace banner'
+ NHS tells video game firms to stop luring children into gambling
 $ rsstail -1 -n5 -N -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
- Israel Denies Entry to Omar and Tlaib After Trumps Call to Block Them
+ Indian General Talks of Deradicalization Camps for Kashmiris
- Gibraltar Releases Iranian Tanker, Hours After U.S. Asked to Seize It
+ Chinas Birthrate Hits Historic Low, in Looming Crisis for Beijing
- Going From Hong Kong to Mainland China? Your Phone Is Subject to Search
+ French Strikers Shut Down the Louvre, Setting a New Target in a Pension Fight
- Leftist Atop Argentina Race Moves From Kirchners Shadow. Will His Policies Follow?
+ Putin and the Art of Stepping Down Gracefully While Keeping a Grip on Power
- The Law Israel Used to Keep Omar and Tlaib Out
+ Irans Supreme Leader Rebukes U.S. in Rare Friday Sermon
 $ date -R -u
-Fri, 16 Aug 2019 06:28:09 +0000
+Sat, 18 Jan 2020 03:42:32 +0000
 -----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEEfpRElbj/BG3RcF+YQmooAO3Wsm0FAl1WTbwACgkQQmooAO3W
+iQEzBAEBCgAdFiEEwonfPqgFyacM7J3iwYAPuUJ74CEFAl4ifs0ACgkQwYAPuUJ7
-sm0zvxAAyYCr7/7M8JB4LPIYbW/T3oipKzHx/h3jjS3kpziEIFUTMLBkJBrOTFcR
+CFIAwgA1sja0lScSiRmH8zjdfhVU/jLPX2QkYDLSUKQk6QjETzqBZsxv22ArQJo
-gCDH9vTQOhS0W0bTCiDieWXrJoDFYuJHBsadnaBz8yOmFv+A4nhz93p+H+LxIdTb
+cRWBmdv/BlnQI0fEU7Kn0q5rj28suz6/eUMNETXWScwIMMlx9rl4qnBtGy08Igyv
-BpiOcdy7ujomSj6CjXP3eO2Ws904944cexXNpUYErBBPmOi9ABdGVCCGpO4d/n
+K1P6UGn8pE4hT5TwVNQ7VTs6D5vkvX6egu2g+CXPRMTDsAWqQh6UeV7Lke1iIHuU
-oG5qhl7QFJaMemHCno5NkDu6UqWibUkRMolfuNeuP2OMrMcwDB/HHVm5iICx5F7J
+aw9pG4AUDjCZhIJYnOvSwXF8gwXbGuiqCqVYju0mtO3uERASSPQC7VTe92Mi568C
-wnFFwdil2+apBprv/SJ04xE1sL+TspOMFR1Z2ntuM9PBiul2TTAVFgBs88OWM/9
+bW59zl6xfyDRtFcVqxtNNxoPdehUPb8o+eFck2hB6t/VyAPW/325J2XgaMcMXgm
-v+mT+3nm6fKzSZfMw2iW0noYsLLb0rBR8pqWemm3eOyav76qZVa4mmX51jv1XeiD
+MvMimzz1EzJnycjhc3c20nFv0jR/Sw==
-yfN3AzosN1VQzedANM9N/ISokPrIUimxNEjO+wvJmXgMYKpXNMkN5ill6ZYZWvqK
+=ADac
-OwMM18zEebIXpOMHTrQpjp7DCPZx91uwpFEs2eRaAH4yPxSzfyBURAGbU/jYV/jz
-psIdy+LJyIZedoO1Gqg91DcW8398ImKrOJYrSnM6QlKzhStciy8Ijo+c9AQnEQy7
-XV7wM/BQd3wh7+lWMqtutZ3xqM0hXyZGPc87qrf+KFdjygBanFzlqe53LTmVNy3y
-hYpqEywD4au9DJfvsZin3y5pCHHsI9MGkT6jslKaSUJHnceBMQo=
-=hbC4
 -----END PGP SIGNATURE-----
 </code>

BLUG Wiki

User Tools

Site Tools

Differences

Page Tools