I wanted to discuss this during the February meeting but we ended up
doing different things. So I thought I might raise the issue here
instead. When I'm saying "here", I'm actually not sure whether tails-ux
or tails-dev is the best place. So I'm writing to tails-dev as I got
more concerns raised by people from tails-dev than by people from
tails-ux :)
As a reminder, I initially submitted a branch for 2.0 which removes the
current OpenPGP verification instructions. We ended up not doing this
and, for the time being, pointing to the Installation Assistant by
default, pointing to the old installation instructions as a fallback,
pointing to the old OpenPGP instructions from the "Learn how to do this"
link after a successful verification through the browser extension, but
we didn't decide yet about the future of these old pages.
The ticket is #11027.
The installation assistant forces people to do a verification
equivalent to HTTPS (Browser extension or BitTorrent). With this in
mind, the OpenPGP verification only makes sense for people:
- Using the web-of-trust. As we're documenting in /install/debian/usb.
Relying on TOFU. Note that with automatic upgrades and in the future
with full self upgrades (#7499), a typical user won't download and
verify ISO images very often, or at least rely on this "first use"
for quite a while. TOFU only improves the security of the subsequent
uses.
Correlate downloads (/doc/get/trusting_tails_signing_key#index1h1).
Which is not a proper cryptographic technique and is quite
impractical for a first-time user.
So really, the OpenPGP verification mostly makes sense if using the
web-of-trust.
The current instructions focus on step-by-step instructions on how to
download the key and verify the ISO image against it; which doesn't
provide strong authenticity (see /download.html#index3h1). They are
fairly complicated (see the user support load on the "Not enough
information to check the signature validity." message) but were very
relevant before we could provide HTTPS-equivalent verification for
everybody. In them, trusting the Tails signing key was proposed as an
additional check to provide authenticity.
I think we should acknowledge that proper OpenPGP verification with
the web-of-trust is not accessible to first-time users who landed on
our website and want to give Tails a try. But are for people who
already know the basics of OpenPGP for encrypting their emails, for
example.
So as a general direction, I think we should focus on:
- Documenting better the strategy behind the web-of-trust which is the
game changer here.
- Pushing bits of OpenPGP verification to Tails Installer.
And not so much on providing step-by-step instructions for OpenPGP
basics. Not that it's a bad thing as such but more as a question of
priority. Also note as a general policy, documenting how to use
Gpg4Win, GPGTools, etc. could be considered out-of-scope in our
documentation.
Regarding what to do now, I propose we:
- Rescue /download.html#index3h1 and make it clear in the intro that
this is meant for people who already know the basic of OpenPGP and
insist more on the web-of-trust verification.
- I'm not sure it's relevant to keep /doc/get/verify_*, further
improve these pages (see #7147), etc. Maybe helping upstream on the
long-term would be better but we've not been very good at this in
the past.
- I'm not sure what to do with the download correlation technique
right now, but I don't mind leaving it around for some time.
