This is a placeholder for now, but if/when the logic in journalist.py is integrated into securedrop-client, there needs to be a mechanism for journalists to view and mark as verified fingerprints of the group participants (both other journalists and sources). My expectation naively is that journalists would verify other journalists fingerprints as part of onboarding, and would rarely have sources verified unless they have an out of band comms channel they can safely use.
The client would need to store in its database the fingerprints and whether the key is verified or not for each user.
Tentative:
When fingerprints change for verified users, there should be a strong alert in the UI for the user.
When fingerprints change for unverified users, there should still be an alert in the UI (but with less urgency).
This is a placeholder for now, but if/when the logic in
journalist.pyis integrated into securedrop-client, there needs to be a mechanism for journalists to view and mark as verified fingerprints of the group participants (both other journalists and sources). My expectation naively is that journalists would verify other journalists fingerprints as part of onboarding, and would rarely have sources verified unless they have an out of band comms channel they can safely use.The client would need to store in its database the fingerprints and whether the key is verified or not for each user.
Tentative:
When fingerprints change for verified users, there should be a strong alert in the UI for the user. When fingerprints change for unverified users, there should still be an alert in the UI (but with less urgency).