propose TPA-RFC-53 to tor-internal (team#41083)

24eecdd2 · anarcat · b00a013d · 24eecdd2 · 24eecdd2
Verified Commit 24eecdd2 authored 1 year ago by anarcat
--- a/policy.md
+++ b/policy.md
@@ -22,12 +22,12 @@ and add it to the above list.
 * [TPA-RFC-38: Setting Up a Wiki Service](policy/tpa-rfc-38-new-wiki-service)
 * [TPA-RFC-45: Mail architecture](policy/tpa-rfc-45-mail-architecture)
 * [TPA-RFC-47: Email account retirement](policy/tpa-rfc-47-email-account-retirement)
- * [TPA-RFC-53: Security keys give away](policy/tpa-rfc-53-security-keys)

 ## Proposed

 <!-- No policy is currently `proposed`. -->

+ * [TPA-RFC-53: Security keys give away](policy/tpa-rfc-53-security-keys)
 * [TPA-RFC-54: build boxes retirement](policy/tpa-rfc-54-build-boxes-retirement)

 ## Standard

--- a/policy/tpa-rfc-53-security-keys.md
+++ b/policy/tpa-rfc-53-security-keys.md
@@ -109,12 +109,14 @@ encouraged to adopt those technologies in one form or another.
 ## General security policy

 The idea here is not to force anything on the organisation: there is a
-separate discussion to establish a security policy in [TPA-RFC-18](policy/tpa-rfc-18-security-policy).
+separate discussion to establish a security policy in [TPA-RFC-18][].
+
+[TPA-RFC-18]: policy/tpa-rfc-18-security-policy

 ## Nitrokey, Solokey, Titan key and other devices

 There are a number of other cryptographic tokens out there. Back in
-2017, anarcat produced a [review of various tokens](https://anarc.at/blog/2017-10-26-comparison-cryptographic-keycards). The Nitrokey
+2017, anarcat produced a [review of various tokens][]. The Nitrokey
 was interested, but was found to be too bulky and less sturdy than the
 Yubikey.

@@ -126,9 +128,11 @@ was made with Yubico people.

 That said, contributors are free to use the tokens of their choice.

+[review of various tokens]: https://anarc.at/blog/2017-10-26-comparison-cryptographic-keycards
+
 ## Getting rid of passwords

-[Passkeys](https://fidoalliance.org/passkeys/) are an emerging standard that goes beyond what we are
+[Passkeys][] are an emerging standard that goes beyond what we are
 planning here. To quote the website, they are "a replacement for
 passwords that provide faster, easier, and more secure sign-ins to
 websites and apps across a user’s devices."
@@ -140,6 +144,8 @@ and understand *now*. One out of six people in the survey already have
 Yubikeys so the inside knowledge for that technology is well
 established, we are just getting tools in people's hands right now.

+[Passkeys]: https://fidoalliance.org/passkeys/
+
 ## Single sign on

 The elephant in the room in this proposal is how all our
@@ -149,7 +155,7 @@ probably be fixed in time, but is not covered by this proposal.
 ## Individual orders

 We are getting lots of keys at once because we hope to bypass possible
-[interdiction](https://en.wikipedia.org/wiki/Interdiction) as we hope to get the keys in person. While it is
+[interdiction][] as we hope to get the keys in person. While it is
 possible for Yubico itself to be compromised, the theory is that going
 directly to them does not raise the risk profile, while removing an
 attack vector.
@@ -157,6 +163,8 @@ attack vector.
 That said, contributors are free to get keys on their own, if they
 think they have a more secure way to get those tokens.

+[interdiction]: https://en.wikipedia.org/wiki/Interdiction
+
 # Costs

 Staff time, hardware donated by Yubico.
@@ -167,11 +175,12 @@ Core contributors should approve.

 # Deadline

-One week.
+In one week I will finalize the process with Yubico unless an
+objection is raised on tor-internal.

 # Status

-This proposal is currently in the `draft` state.
+This proposal is currently in the `proposed` state.

 # References