[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Monotone-devel] while i'm on the subject, other things that ought to be
|
From: |
Zack Weinberg |
|
Subject: |
[Monotone-devel] while i'm on the subject, other things that ought to be done to key handling... |
|
Date: |
Mon, 4 Feb 2008 11:29:33 -0500 |
The on-disk keystore format is currently a single file per keypair
containing a packet representation of both the public and private
keys. It should be changed to two files per keypair, one with the
public and one with the private key, each in PEM format - natively
understood by Botan, and also understood by external tools.
Alternatively, the public key could be formatted the way ssh
identity.pub files are formatted, which would eliminate the need for
the ssh_agent_export subcommand. Obviously we should sanity-check the
public against the private key at load time.
File names should be like "public_<keyid>", "private_<keyid>" to clue
people in that the private key is sekrit. (I recall some sort of
complaint about people posting their keypair files on an IRC pastebin
or something like that...)
The keystore should be paranoid about reading private key files, the
same way ssh is: the file itself must be owned by the invoking user
and no more than mode 600, and all containing directories must be
owned by the user or root and no more than mode 755. (Similar
paranoia about ACLs would also be good but I ain't coding it.) Of
course, get the modes right when creating these things, too, and warn
the user if (for instance) their home directory isn't sufficiently
locked down.
And let's switch from 3DES to AES for private key encryption while
we're making changes.
zw
- [Monotone-devel] while i'm on the subject, other things that ought to be done to key handling...,
Zack Weinberg <=