Feature #9323: Adapt current documentation with the Installation Assistant
Decide what to do with the old OpenPGP verification instructions
I proposed to removed them in e66558a and 8deae6a but some people disagree. We should have a good discussion about this.
#2 Updated by sajolida over 3 years ago
Here is some preparation for the meeting tonight:
The installation assistant forces people to do a verification
equivalent to HTTPS (Browser extension or BitTorrent). With this in
mind, the OpenPGP verification only makes sense for people:
- Using the web-of-trust. As we're documenting in /install/debian/usb.
- Relying on TOFU. Note that with automatic upgrades and in the future
with full self upgrades (#7499), a typical user won't download and
verify ISO images very often, or at least rely on this "first use"
for quite a while. TOFU only improves the security of the subsequent
- Correlate downloads (/doc/get/trusting_tails_signing_key#index1h1).
Which is not a proper cryptographic technique and is quite
impractical for a first-time user.
So really, the OpenPGP verification mostly makes sense if using the
The current instructions focus on step-by-step instructions on how to
download the key and verify the ISO image against it; which doesn't
provide strong authenticity (see /download.html#index3h1). They are
fairly complicated (see the user support load on the "Not enough
information to check the signature validity." message) but were very
relevant before we could provide HTTPS-equivalent verification for
everybody. In them, trusting the Tails signing key was proposed as an
additional check to provide authenticity.
I think we should acknowledge that proper OpenPGP verification with
the web-of-trust is not accessible to first-time users who landed on
our website and want to give Tails a try. But are for people who
already know the basics of OpenPGP for encrypting their emails, for
So as a general direction, I think we should focus on:
- Documenting better the strategy behind the web-of-trust which is the
game changer here.
- Pushing bits of OpenPGP verification to Tails Installer.
And not so much on providing step-by-step instructions for OpenPGP
basics. Not that it's a bad thing as such but more as a question of
priority. Also note as a general policy, documenting how to use
Gpg4Win, GPGTools, etc. could be considered out-of-scope in our
Regarding what to do now, I propose we:
- Rescue /download.html#index3h1 and make it clear in the intro that
this is meant for people who already know the basic of OpenPGP and
insist more on the web-of-trust verification.
- I'm not sure it's relevant to keep /doc/get/verify_*, further
improve these pages (see #7147), etc. Maybe helping upstream on the
long-term would be better but we've not been very good at this in
- I'm not sure what to do with the download correlation technique
right now, but I don't mind leaving it around for some time.
#6 Updated by sajolida over 3 years ago
#11 Updated by intrigeri over 3 years ago
People trying the download correlation get confused whenever our we update our key file on the website.
Indeed, re-reading that piece of doc, pieces of it are totally buggy, in the sense they rely implicitly on the fact that key file doesn't ever change.
So I think we should drop that technique [...].
I agree we should drop that technique: the vast majority of people who will do it right don't need us to document it.