On Friday, March 9, 2018 at 9:57:47 PM UTC-5, Andrew David Wong wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 2018-03-09 16:12, Peter Todd wrote: > > On Fri, Mar 09, 2018 at 12:19:47PM -0800, > > theinnovativeinven...@gmail.com wrote: > >> I was looking at the canaries, and I liked the idea of a proof of > >> freshness with the latest news headlines. While people can't > >> create canaries ahead of time, it is possible to conspire to > >> modify or backdate one of them after they have been published. To > >> prevent this, we could use a blockchain-based timestamp, where > >> the hashes of each canary are placed within the blockchain of a > >> powerful cryptocurrency. Something similar to these services: > >> > >> https://opentimestamps.org/ http://originstamp.org/home > >> > >> This way, if there ever is a interruption of canaries, followed > >> by a court order or something forcing you guys to backdate a > >> falsified canary or modify old ones, we will all be able to > >> check. > > > > The easiest way to do this is to simply use the OpenTimestamps > > (OTS) git integration. This blog post explains how: > > > > https://petertodd.org/2016/opentimestamps-git-integration > > > > Addiitionally, while not covered in that blog post, OTS also > > supports a mode where it rehashes the git tree in such a way that > > an efficient, SHA256-based, timestamp proof can be extracted later > > for each file. In the next release this will be done by default, > > but for now you have to add the --rehash-trees option where the > > ots-git-gpg-wrapper command is called. > > > > FWIW, as of this week, Bitcoin Core maintainer Wladimir J. van der > > Laan started using OTS to timestamp Bitcoin Core commits and tags. > > > > Related issue: > https://github.com/QubesOS/qubes-issues/issues/2847 > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlqjSZoACgkQ203TvDlQ > MDDIihAAyu8mH1+bqRR/to4nEzEsVZGP9Y2EMx0JSc2KVN3iZ/nfsoDp1h3vbLDe > r79AZAJZVvjB6VEJCyMgqfa9ZirwT3Ri0g/9ozN9XFn3gdNt1rkz21lsW/nabtpV > P0lLoPOOcCaLWiHHXbRBa3RrntOYp1f3ReFRg0+He9QcmD8aATm43euaPZ+Y/OMb > jhskfSLu9jHh4Ef0R+wXYnjtN7FNwuccy+WuByTzmlT2BbLfjTljo4pahEaDqPKo > mkX330EhVYEXmNfTiV07MmFmYtd2/9zAWB2cZCYsv7S0dh5dc3MyGzQW+pscNyMU > JroXQOtC1JgqctQSkKVPNAiGjzrz5e+RL8K6E+xpCh8tvDNZtPbcCC5S91AsvdOj > N9cxyFFWZiOq7FVO0Wjg0Rvamm67uLFRyLYVPCNj6KeZ6wsPspU32OqCZtXkVTNW > BnGts+Ooo7Z8JW0vsHo/n3kcTYhMp40sBtl4dI1oKMrkoYR8LjM2H98wecdZKl9i > kArYv8WQzgGAFn0631Z3pPRw2g9kVkssH0vrOMuDxYCLiqFg8ImIbx0AhMtPlTEA > pGYsYrL/V2OgvjBGNFcfmtTtprY8SGUFAcIBrVZUcAH4lGntLJW8D2MSmhy+9bpy > 8cbbhdqeqHSI5meVyaVahL+7GCx4/gggivvd81WdY0lVkZTjpCE= > =Oc4Y > -----END PGP SIGNATURE-----
Sounds good! I was thinking of manually doing each of the canaries for now by using this: https://github.com/opentimestamps/opentimestamps-client. Git integration can be done later. I just used the javascript opentimestamps client to stamp all the Qubes PGP keys, Qubes Security Bulletins, Qubes warrant canaries, and Qubes ISO digests along with the signatures at my fork of qubes-secpack: https://github.com/InnovativeInventor/qubes-secpack. Should I submit a pull request with these .ots files included? -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/edcb8b7a-11b6-4d84-9266-2c1e8e2292a4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
