Create a SD Directory Server to Audit and Enumerate instances

[Hainish]

This has been discussed in #92 (comment) - create a third party directory server to periodically scrape the SD instances out there, checking all active resources for malicious code injection using a standardized hashing mechanism. If an instance is modified, alert the SD instance owner of the change.

The entire SD application can live in a JS browser application, but the one component that would still have to be provided by the server is the GPG key of the instance. Thus the directory server should have a copy of the keys and check that the public key of the system is the same as well.

[garrettr]

I have a proposal for verifying and auditing journalist's public keys in the draft 1.0 Roadmap. @Hainish Would appreciate your feedback! It is quite different from the proposal here, but satisfies the same goals.

[ghost]

@conorsch is this resolved in the upcoming securedrop.org version ?

[conorsch]

@dachary Thanks for the ping!

Yes, the forthcoming overhaul of securedrop.org will implement an automated scanner for both the Source Interface and the Landing Page for each known SecureDrop instance, similar in style to Secure The News. The development effort on the new scanner is ongoing, and we optimistically hope to ship in Q2 2018.

As such, I'm closing this issue, as the final pieces are close to completion, and no code changes will be required to this repository in order to finalize implementation.