Differences

This shows you the differences between two versions of the page.

--- blug-canary-2 [2019/09/30 17:44]
BLUG Admin old revision restored (2019/07/24 03:57)
+++ blug-canary-2 [2019/11/21 16:06]
persmule
@@ Line 8: / Line 8: @@
 ====================================
-Issued for July 2019.
+Issued for November 2019.
 Don't just trust the contents of this file blindly! Verify the
@@ Line 16: / Line 16: @@
 ~~~~~~~~~~~~~
-* biergaizi: 0xFAD3EB05E88E8D6D
+* biergaizi: 0x255211B2395A5A3E0E48A0F1FAD3EB05E88E8D6D
-* persmule : 0x2987A25DAC8454A5
+* persmule : 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60
-* wnereiz  : 0xFDFF2E13AA25BE72
+* wnereiz  : 0x0A6A91990AC98712274AA18DFDFF2E13AA25BE72
 THREE DOCUMENTS IN TOTAL.
@@ Line 55: / Line 55: @@
 . Our personal safety and security is not threatened.
-. To avoid security breaches and emphasize the clarity of the warrent canary
+. To avoid security breaches and emphasize the clarity of the warrant canary
 documents, if a signer is temporarily unavailable, only existing signers in the
 "Signer" list SHALL sign a special placeholder notice (this notice itself SHOULD
 NOT be considered a valid canary document) until the signer becomes available
-again and signs the missed documents. A new signer SHOULD NOT sign a warrent
+again and signs the missed documents. A new signer SHOULD NOT sign a warrant
 canary document only due to the temporary unavailability of a existing signer.
 . We plan to publish the next of these canary statements in the first three
-weeks of August 2019. Special note should be taken if no new canary is published
+weeks of December 2019. Special note should be taken if no new canary is published
 by that time or if the list of statements changes without plausible explanation.
@@ Line 69: / Line 69: @@
 ~~~~~~~~~~~~~~~~~~~~~~~~
-. Due to personal reasons, wnereiz (0xFDFF2E13AA25BE72) was not available and
+. Since mid-October, persmule's old signing key 0x2987A25DAC8454A5 has
-couldn't sign the warrent canary before the end of June 2019.
+expired. A new key, 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60, has been
+created and uploaded to https://keys.openpgp.org/, it can be obtained from
+this keyserver.
-. We determined that this was not a result of any incident. All statements of
+. The new key will be used by persmule to sign future warrant canary
-the warrent canary documents are still valid. Furthermore, wnereiz will continue
+documents. You can verify the signature by crosschecking the other two
-to sign the canary documents in the future.
+documents signed by biergaizi and wnereiz for consistency.
-. We determined that the decision of asking vimacs (0xEA2DB82FE04A9403) to
+. Due to this key rollover, the October message was not signed by persmule.
-replace wnereiz and sign a substitution of the canary document was flawed. This
+This did/does not indicate a security incident, all of the statements above
-decision is thus revoked.
+were valid, and are still valid.
-. To avoid future incidents, we have amended the procedure on signing warrant
+. Recent attacks on OpenPGP keyservers have raised great security concerns
-canary documents, and added a new Statement to prevent similar issues.
+within the community, as a countermeasure, persmule's personal User-ID has
+not published to the https://keys.openpgp.org/ keyserver. Instead, only
+cryptographic information can be obtained from the keyserver, without any
+User-ID. Currently, it's impossible to import a OpenPGP public key without
+User-ID to a standard GnuPG installation, as a result, it's not possible
+for a 3rd-party to verify the canary document signed by persmule.
-. The previous warrent canary documents issued for July 2019 are revoked. Only
+. We are looking for a solution. But for now, we decided that the best
-this version is valid.
+option is starting publishing new canary documents using the new key.
+As a temporary measure, you can check the canary documents signed by
+biergaizi and wnereiz to decide the validity of the Statements. By signing
+their own copies, it indicates that the new key has been verified privately
+by them as valid.
+. This effectively reduced the number of signers to two people. It reduces
+the level of confidence, but currently there is no alternative option yet.
+. Once the technical problem of OpenPGP public key without User-ID is
+resolved, you can check the previous signatures retroactively, and this
+would effectively restore the level of confidence. You can archive
+persmule's signature as soon as it's published to your own machine to
+ensure no data tampering has occured.
+. Unlike persmule, biergaizi and wnereiz's signing keys are unchanged,
+but the Key-IDs have been changed to its full fingerprint format in the
+canary document for clarity.
+. When new information is available, it will be published in the "Special
+Announcements" section in future warrant canary documents.
 Proof of Freshness
@@ Line 90: / Line 117: @@
 $ rsstail -1 -n5 -N -u https://www.telegraph.co.uk/news/rss.xml
- Sri Lanka accuses UK of hiding human remains in 100 containers of exported recycling
+ 'Designer babies' may not be as smart or tall as parents expect, study warns
- Booker Prize longlist 2019: The 1,000-page novel with only one sentence
+ Cambridge University students cry fowl over 17th century painting that upsets vegetarians
- Cadbury's launches 'diet' Dairy Milk as lower sugar bar marks first recipe change in 100 years
+ Indian businessman wore pilot disguise to get upgrades and special treatment
- Give heatwaves names so people take them more seriously, say experts, as Britain braces for hottest day
+ Russia 'ruined' Ukrainian naval vessels before handing them back, says Ukrainian navy
- Swimmer goes missing after jumping into east London dock with friends
+ Killer of Helen McCourt to be released despite refusing to reveal location of her body
 $ rsstail -1 -n5 -N -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
- For Boris Johnson, the Tumult Begins Inside Downing Street
+ At Odds With Labour, Britains Jews Are Feeling Politically Homeless
- Boris Johnson to Take Leadership of a Britain in Deep Crisis
+ Prince Andrews Friendship With Epstein Joins a List of Royal Scandals
- Trump and Johnson: Allies in Disruption
+ Afghanistans Curse: A Bomb From 2 Wars Ago Crushes a Family Today
- In Pakistan, a Feminist Hero Is Under Fire and on the Run
+ Arab Thinkers Call to Abandon Boycotts and Engage With Israel
- South Korean Jets Fire Warning Shots Toward Russian Military Plane
+ Rodrigo Duterte Calls for Ban on Public Vaping in the Philippines
 $ date -R -u
-Wed, 24 Jul 2019 03:53:59 +0000
+Thu, 21 Nov 2019 16:03:28 +0000
 -----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEEfpRElbj/BG3RcF+YQmooAO3Wsm0FAl031sgACgkQQmooAO3W
+iQEzBAEBCgAdFiEEwonfPqgFyacM7J3iwYAPuUJ74CEFAl3WtYsACgkQwYAPuUJ7
-sm3wUhAAvIgywMOmEkiqyHsYx7f2asOPKEFzUKzaLHHlp8cxRSgfeG4bu3QiXSK8
+CFi3ggA3x0ZIMF9pLOSagf+9JVbk7zTAzUK3BMKZTGR8CZ/TebkaSX72/SSLGEQ
-/wnIYxr8AosmQMJuLo3W3hirC/U7DQtAPxmk8AHU09x+IW1nmoUw1xW8ATKH7xkw
+g9KNf7ZxhdjKXUlU93Ori6C90yfLfGQ/mOGNjj/pcWx/s3kR9q6r/fLjG3D2UpAF
-ULNLMoMShLoWNkDZxMVtcpG3+1/akAbSqUxkntSESM736kl4Tm6JH/s9E5LQxHVw
+izX1t76YSBoAoDQ2PJbRNmpZpsGTz51CLIgEdkH+javtqqcIfhJUF+71XKdU8BNv
-Q5hJP5PPwCEpPXUharjnptudxcSVa64MDKJfGW+Pv99lKRCN/vt6oTYiMUSbxy5/
+IEtHvO9j0pD3m9mbiXW768B+R8LEQc6UKrxUc7u8aX/rXSRjcHg+F5iK8ED91fSy
-T6sfW2qYCyRDXFvVuEIHOT/3u3ubg1+zsDoEWC+Z4o+FixgndnrJ9RYWaM2AWbqD
+zs2ls4VYs2m2S8slyMm8YlKWiFZUEcVGwCvhyqNTlTvg9MVIh8ol4yFuAZ+PTfK
-LlNxbNvssD0qozv2TpTr2xhJo//EDht37hCQ8TsyMdOgj/QslvoslxZhCqLtW65z
+tXPOvb75y1ghdqYAE7xROoMvc2jQqA==
-jY7c2yJmlWUehqymVZSFn9D997o0VyymeZQmFbg4Zqdvm2uJxfhB6xj3GslYsvHl
+=yM0h
-C0M9V7bTqTrqgH/cEBl4H2XPRBp2wkSznfYWywXb9MrG4bfkGad0rxgCUL/lilDE
-LZFvgglXMiwDE/fSCt1VIE6oP/FY5GmBx66S2juRLhf3Ds0Z2tB6EsQIGiO+tmu4
-HXmDQwYKgnSNqIa7fpWvw2Shi5Qrnch1G8o3YvVCqYxUVAO6BLuGgiGO2PLaxiWE
-HeNR1fnvlwllujTj21iAJZI/ehV1aZS9WO5YFbg13hnWfAbbzM=
-=nNSR
 -----END PGP SIGNATURE-----
 </code>

BLUG Wiki

User Tools

Site Tools

Differences

Page Tools