From 36d91991e3e4dd00051aaa4c92a3dae8fabcec39 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sun, 30 Nov 2008 06:49:10 +0000 Subject: explain a bit better about why GPG signature checking in thandy is not going to happen. git-svn-id: file:///home/or/svnrepo/updater/trunk@17417 55e972cd-5a19-0410-ae62-a4d7a52db4cd --- specs/thandy-spec.txt | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'specs') diff --git a/specs/thandy-spec.txt b/specs/thandy-spec.txt index ca3f5c8..3726c94 100644 --- a/specs/thandy-spec.txt +++ b/specs/thandy-spec.txt @@ -739,7 +739,10 @@ R.1. Considering recommended versions from Tor consensus directory documents R.2. Integration with existing GPG signatures - The OpenPGP signature and key format is so complicated that you'd - have to be mad to touch it. + The OpenPGP signature and key format is so complicated that you'd have + to be mad to try to read it yourself. (Check out RFC2440 for + information about how bad it is in theory; in practice, it's worse.) + Therefore, if we wanted to check OpenPGP signatures, we would + basically have to bundle GPG. -- cgit v1.2.3