[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] while i'm on the subject, other things that ought t
Re: [Monotone-devel] while i'm on the subject, other things that ought to be done to key handling...
Mon, 4 Feb 2008 11:38:47 -0500
Zack Weinberg spake unto us the following wisdom:
> The on-disk keystore format is currently a single file per keypair
> containing a packet representation of both the public and private
> keys. It should be changed to two files per keypair, one with the
> public and one with the private key, each in PEM format - natively
> understood by Botan, and also understood by external tools.
> Alternatively, the public key could be formatted the way ssh
> identity.pub files are formatted, which would eliminate the need for
> the ssh_agent_export subcommand. Obviously we should sanity-check the
> public against the private key at load time.
> File names should be like "public_<keyid>", "private_<keyid>" to clue
> people in that the private key is sekrit. (I recall some sort of
> complaint about people posting their keypair files on an IRC pastebin
> or something like that...)
I'm a big fan of breaking this key into two parts. I take care of
installing keys on the Pidgin monotone server, and I most often see
one of two things:
The output of 'monotone ls keys' for the key in question;
The entire file ~/.monotone/keys/keyid.
This despite the fact that we have explicit instructions for the
process on the wiki, as well as the instructions in the monotone
manual. Splitting up the keystore probably won't help the former, but
it probably *will* fix the latter.
> The keystore should be paranoid about reading private key files, the
> same way ssh is: the file itself must be owned by the invoking user
> and no more than mode 600, and all containing directories must be
> owned by the user or root and no more than mode 755. (Similar
> paranoia about ACLs would also be good but I ain't coding it.) Of
> course, get the modes right when creating these things, too, and warn
> the user if (for instance) their home directory isn't sufficiently
> locked down.
I'm not as big a fan of this. I agree that the keys should be created
properly, but after that ... let me manage my own permissions. ;-)
That said, I'm not going to cry if monotone is pickier.
The laws that forbid the carrying of arms are laws [that have no remedy
for evils]. They disarm only those who are neither inclined nor
determined to commit crimes.
-- Cesare Beccaria, "On Crimes and Punishments", 1764
Description: Digital signature