explain a bit better about why GPG signature checking in thandy is not going to happen.

git-svn-id: file:///home/or/svnrepo/updater/trunk@17417 55e972cd-5a19-0410-ae62-a4d7a52db4cd
author: Nick Mathewson <nickm@torproject.org> 2008-11-30 06:49:10 +0000
committer: Nick Mathewson <nickm@torproject.org> 2008-11-30 06:49:10 +0000
commit: 36d91991e3e4dd00051aaa4c92a3dae8fabcec39 (patch)
tree: c5b953e3674f0dda07697e94dd61c9cb6b27fd9a
parent: d124ec5255713e40b5f325c614ad9fdb7f26ff28 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/specs/thandy-spec.txt b/specs/thandy-spec.txt
index ca3f5c8..3726c94 100644
--- a/specs/thandy-spec.txt
+++ b/specs/thandy-spec.txt
@@ -739,7 +739,10 @@ R.1. Considering recommended versions from Tor consensus directory documents
 
 R.2. Integration with existing GPG signatures
 
-  The OpenPGP signature and key format is so complicated that you'd
-  have to be mad to touch it.
+  The OpenPGP signature and key format is so complicated that you'd have
+  to be mad to try to read it yourself.  (Check out RFC2440 for
+  information about how bad it is in theory; in practice, it's worse.)
+  Therefore, if we wanted to check OpenPGP signatures, we would
+  basically have to bundle GPG.
author	Nick Mathewson <nickm@torproject.org>	2008-11-30 06:49:10 +0000
committer	Nick Mathewson <nickm@torproject.org>	2008-11-30 06:49:10 +0000
commit	36d91991e3e4dd00051aaa4c92a3dae8fabcec39 (patch)
tree	c5b953e3674f0dda07697e94dd61c9cb6b27fd9a
parent	d124ec5255713e40b5f325c614ad9fdb7f26ff28 (diff)