Hi,
adrelanos wrote (01 Jul 2013 18:03:01 GMT) :
> Goal:
> - big file downloads
> - at least as secure as TLS
> - at least as simple as a regular download using a browser
> - not using TLS itself (too expensive) for bulk download
> The problem: [...]
+ verify that the signed file you've downloaded is actually the
version you intended to download, and not an older, also properly
signed one.
See tools that take this into account:
- Thandy (already mentioned by Moritz)
- our design for incremental updates:
https://tails.boum.org/todo/incremental_upgrades/
- TUF:
https://www.updateframework.com/
Other than this, our current take on it is, I believe, making it
easier to verify OpenPGP detached signatures. E.g. we're working to
make it work flawlessly on the GNOME desktop.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc