{{Header}}
{{#seo:
|description=Development Notes about OpenPGP Signed Website
}}
{{intro|
Development Notes about OpenPGP Signed Website
}}
= OpenPGP Signed Website =
Has been requested in the forum. <ref>https://sourceforge.net/p/whonix/discussion/general/thread/6d7344a5/</ref> Having an OpenPGP Signed Website would be desirable. But that would require a software, which does not exist yet.

There is [https://www.sanface.com/pgphtml.html PGPHTML: to make PGP or GPG signed web-pages], but it is from 2002 there are licensing problems. <ref>Patrick Schleizer mailed <code>licensing at fsf dot org</code> (name redacted). PGPHTML is probably not Free Software. If that were the case, it wouldn't be usable for {{project_name_long}}. Adrelanos also mailed the author, but there was no response.

<pre>
> Is the following license Free Software?

> Is it GPL compatible?

> homepage: https://www.sanface.com/pgphtml.html

> source tarball: https://www.sanface.com/pgphtml.tar.gz

> License text:

>> # pgphtml -- a perl script to make PGP signed web-pages
>> #
>> # by SANFACE Software <sanface@sanface.com> 19 June 2002
>> #
>> # Requires the PGP or GPG
>> # GPG support added by John Arundel <john@splange.freeserve.co.uk>
>> #
>> # Copy, use, and redistribute freely, but don't take my name off it and
>> # clearly mark an altered version.  Fixes and enhancements cheerfully
>> # accepted.
>> #
>> # This is version 4.1.

The license doesn't explicitly permit modifications, nor distribution
for a fee (even the relatively terse Expat license, sometimes
ambiguously referred to as the MIT License, explicitly states that you
have: "... without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software,
...")

It also states that "fixes ...  accepted" in the same block as the
license text, so it is unclear if that is a part of the license or a
friendly request.

I can't speak to what was the author's intent when writing the license;
It is not my place to say "oh, the author of the license probably
meant..." Therefore I would recommend contacting the author before using
the software and asking for a copy of the software under a well known
free software license.
</pre>
</ref>

PGPHTML also wouldn't work as a complete solution.

* Users most likely won't copy and paste the text, so this would also require a browser or browser addon automating the verification.
* Adversaries in position to modify website content can always mount a rollback or indefinite freeze attacks (see <ref>[[Dev/Permanent_Takedown_Attack_Defender#Definitions]]</ref> for definitions of those attacks). I.e. could pick an old message/website, which was signed years ago and now contains insecure/outdated information without the user being informed about the attack. To prevent that, the client application would have to check a field similar to Valid-Until field <ref>
https://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html
</ref>.
* The website structure or link would have to be signed and verified as well.
* Should pass the [https://github.com/theupdateframework/tuf/blob/develop/docs/SECURITY.md TUF] threat model.

While relying on the OpenPGP web of trust, and not the [[SSL|SSL cartel]], this could provide strong verification. On the other hand, it probably couldn't provide end-to-end encryption, SSL or .onion would be required for that.

It is an interesting idea, but outside the scope of {{project_name_short}} to invent such a solution.

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Development]]