Differences

This shows you the differences between two versions of the page.

--- blug-canary-2 [2019/08/16 06:34]
persmule
+++ blug-canary-2 [2020/02/21 02:10]
persmule
@@ Line 8: / Line 8: @@
 ====================================
-Issued for August 2019.
+Issued for February 2020.
 Don't just trust the contents of this file blindly! Verify the
@@ Line 16: / Line 16: @@
 ~~~~~~~~~~~~~
-* biergaizi: 0xFAD3EB05E88E8D6D
+* biergaizi: 0x255211B2395A5A3E0E48A0F1FAD3EB05E88E8D6D
-* persmule : 0x2987A25DAC8454A5
+* persmule : 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60
-* wnereiz  : 0xFDFF2E13AA25BE72
+* wnereiz  : 0x0A6A91990AC98712274AA18DFDFF2E13AA25BE72
 THREE DOCUMENTS IN TOTAL.
@@ Line 55: / Line 55: @@
 . Our personal safety and security is not threatened.
-. To avoid security breaches and emphasize the clarity of the warrent canary
+. To avoid security breaches and emphasize the clarity of the warrant canary
 documents, if a signer is temporarily unavailable, only existing signers in the
 "Signer" list SHALL sign a special placeholder notice (this notice itself SHOULD
 NOT be considered a valid canary document) until the signer becomes available
-again and signs the missed documents. A new signer SHOULD NOT sign a warrent
+again and signs the missed documents. A new signer SHOULD NOT sign a warrant
 canary document only due to the temporary unavailability of a existing signer.
 . We plan to publish the next of these canary statements in the first three
-weeks of September 2019. Special note should be taken if no new canary is published
+weeks of March 2020. Special note should be taken if no new canary is published
 by that time or if the list of statements changes without plausible explanation.
@@ Line 69: / Line 69: @@
 ~~~~~~~~~~~~~~~~~~~~~~~~
-. Due to personal reasons, wnereiz (0xFDFF2E13AA25BE72) was not available and
+. Since mid-October, persmule's old signing key 0x2987A25DAC8454A5 has
-couldn't sign the warrent canary before the end of June 2019.
+expired. A new key, 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60, has been
+created and uploaded to https://keys.openpgp.org/, it can be obtained from
+this keyserver.
-. We determined that this was not a result of any incident. All statements of
+. The new key will be used by persmule to sign future warrant canary
-the warrent canary documents are still valid. Furthermore, wnereiz will continue
+documents. You can verify the signature by crosschecking the other two
-to sign the canary documents in the future.
+documents signed by biergaizi and wnereiz for consistency.
-. We determined that the decision of asking vimacs (0xEA2DB82FE04A9403) to
+. Due to this key rollover, the October message was not signed by persmule.
-replace wnereiz and sign a substitution of the canary document was flawed. This
+This did/does not indicate a security incident, all of the statements above
-decision is thus revoked.
+were valid, and are still valid.
-. To avoid future incidents, we have amended the procedure on signing warrant
+. Recent attacks on OpenPGP keyservers have raised great security concerns
-canary documents, and added a new Statement to prevent similar issues.
+within the community, as a countermeasure, persmule's personal User-ID has
+not published to the https://keys.openpgp.org/ keyserver. Instead, only
+cryptographic information can be obtained from the keyserver, without any
+User-ID. Currently, it's impossible to import a OpenPGP public key without
+User-ID to a standard GnuPG installation, as a result, it's not possible
+for a 3rd-party to verify the canary document signed by persmule.
-. The previous warrent canary documents issued for July 2019 are revoked. Only
+. We are looking for a solution. But for now, we decided that the best
-this version is valid.
+option is starting publishing new canary documents using the new key.
+As a temporary measure, you can check the canary documents signed by
+biergaizi and wnereiz to decide the validity of the Statements. By signing
+their own copies, it indicates that the new key has been verified privately
+by them as valid.
+. This effectively reduced the number of signers to two people. It reduces
+the level of confidence, but currently there is no alternative option yet.
+. Once the technical problem of OpenPGP public key without User-ID is
+resolved, you can check the previous signatures retroactively, and this
+would effectively restore the level of confidence. You can archive
+persmule's signature as soon as it's published to your own machine to
+ensure no data tampering has occured.
+. Unlike persmule, biergaizi and wnereiz's signing keys are unchanged,
+but the Key-IDs have been changed to its full fingerprint format in the
+canary document for clarity.
+. When new information is available, it will be published in the "Special
+Announcements" section in future warrant canary documents.
 Proof of Freshness
@@ Line 90: / Line 117: @@
 $ rsstail -1 -n5 -N -u https://www.telegraph.co.uk/news/rss.xml
- Telegraph Audio Briefings: Sign up to our WhatsApp group for essential twice-daily updates
+ US intelligence chief replaced 'after clash with Donald Trump over Russian bid to boost re-election'
- Pictures of the Day: 16 August 2019
+ Windrush draft report that called Home Office institutionally racist 'was watered down'
- Edinburgh Festival Fringe's most successful act? A dead hang challenge
+ Grace Millane killer sentenced to life in prison in New Zealand for murder of British backpacker
- Donald Trump 'has discussed buying Greenland from Denmark'
+ Regent's Park mosque stabbing: man in his 70s attacked during prayers
- French 'spiderman' Alain Robert climbs Hong Kong skyscraper to unfurl 'peace banner'
+ Thursday evening news briefing: Stabbing in London mosque
 $ rsstail -1 -n5 -N -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
- Israel Denies Entry to Omar and Tlaib After Trumps Call to Block Them
+ Coronavirus Live Updates: Clusters in Japan May Hint at How Virus Spreads
- Gibraltar Releases Iranian Tanker, Hours After U.S. Asked to Seize It
+ Far-Right Shooting Shatters an Already Fragile Sense of Security in Germany
- Going From Hong Kong to Mainland China? Your Phone Is Subject to Search
+ A Police State With an Islamist Twist: Inside Hifters Libya
- Leftist Atop Argentina Race Moves From Kirchners Shadow. Will His Policies Follow?
+ U.S. and Allies Blame Russia for Cyberattack on Republic of Georgia
- The Law Israel Used to Keep Omar and Tlaib Out
+ Suspect Arrested in Stabbing at London Mosque
 $ date -R -u
-Fri, 16 Aug 2019 06:28:09 +0000
+Fri, 21 Feb 2020 02:01:48 +0000
 -----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEEfpRElbj/BG3RcF+YQmooAO3Wsm0FAl1WTbwACgkQQmooAO3W
+iQEzBAEBCgAdFiEEwonfPqgFyacM7J3iwYAPuUJ74CEFAl5POx0ACgkQwYAPuUJ7
-sm0zvxAAyYCr7/7M8JB4LPIYbW/T3oipKzHx/h3jjS3kpziEIFUTMLBkJBrOTFcR
+CFEBAgAzvltWGMHElouFtnWIfb5EU0LL9Zlfhg2V8KZ/fe+bL6mKw1H9gxwTo08
-gCDH9vTQOhS0W0bTCiDieWXrJoDFYuJHBsadnaBz8yOmFv+A4nhz93p+H+LxIdTb
+oi+GBRYQz8l4AVU1YTDO2aZNUYATIxsiBhFAEpGe1xoh3ui/9bZbUAtMZBHfoHK3
-BpiOcdy7ujomSj6CjXP3eO2Ws904944cexXNpUYErBBPmOi9ABdGVCCGpO4d/n
+ff6UnbfbHZOWUyfh03UNllZ3cdVBzQ9c64LrFlPmu2zNaif2/QTvESOpuDfNwRoR
-oG5qhl7QFJaMemHCno5NkDu6UqWibUkRMolfuNeuP2OMrMcwDB/HHVm5iICx5F7J
+CDsOg434SMB5T8mruLDy7NPyqey+03BpkhEMalskn6ra8FQWmct7q2xVfkB5HRhy
-wnFFwdil2+apBprv/SJ04xE1sL+TspOMFR1Z2ntuM9PBiul2TTAVFgBs88OWM/9
+l4SGWGNI8eE9+atyH/wKM46Ytdx0zgBCHQ95yeWa4kwAn6EP9kYMEqMRCSAdHauW
-v+mT+3nm6fKzSZfMw2iW0noYsLLb0rBR8pqWemm3eOyav76qZVa4mmX51jv1XeiD
+Mp4GAH94izVkxwDQ6R7X9o2WdmZh7w==
-yfN3AzosN1VQzedANM9N/ISokPrIUimxNEjO+wvJmXgMYKpXNMkN5ill6ZYZWvqK
+=1OSg
-OwMM18zEebIXpOMHTrQpjp7DCPZx91uwpFEs2eRaAH4yPxSzfyBURAGbU/jYV/jz
-psIdy+LJyIZedoO1Gqg91DcW8398ImKrOJYrSnM6QlKzhStciy8Ijo+c9AQnEQy7
-XV7wM/BQd3wh7+lWMqtutZ3xqM0hXyZGPc87qrf+KFdjygBanFzlqe53LTmVNy3y
-hYpqEywD4au9DJfvsZin3y5pCHHsI9MGkT6jslKaSUJHnceBMQo=
-=hbC4
 -----END PGP SIGNATURE-----
 </code>

BLUG Wiki

User Tools

Site Tools

Differences

Page Tools