<p dir="ltr">Just for clarity: You mean that each user, before creating new passwords, would verify that there is a valid signature made by a trusted key in their own keyring?</p>
<p dir="ltr">Seems like a sound idea to me. I'm not sure an interactive introduction thing is necessary, though - you'll still need to re-sign the file whenever it changes (which it legitimately might), and check its integrity all the time anyway. Wouldn't it suffice to just tell the user and refuse to continue? That would eliminate the special case while also reducing the amount of metadata in the repository.</p>
<br><div class="gmail_quote"><div dir="ltr">On Wed, 12 Aug 2015 20:05 <<a href="mailto:p0intless@mailbox.org">p0intless@mailbox.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I propose that the .gpg-id file should be signed, otherwise in a shared<br>
environment somebody could simply add<br>
their key-id to the file and all the entries created after that would be<br>
readable for that person, without the<br>
knowledge of the creator.<br>
<br>
The key-id of the signer of any .gpg-id files must be in the .gpg-id file<br>
of the parent directory. If the parent<br>
directory has not got a .gpg-id file its parent or eventually the .gpg-id<br>
file of the root folder will be used.<br>
<br>
The key-ids in the .gpg-id file of the root folder are the highest in the<br>
trust chain, they are the admins of the<br>
repository. Every user of the repository signs the root .gpg-id file and<br>
therefore trusts the admins.<br>
<br>
When a users uses the repo for the first time (or the root .gpg-id file<br>
changes) they will be prompted the list<br>
of admins (email and key-id ideally). The user can than chose to trust the<br>
admins and sign .key-id file.<br>
<br>
This ensures that all th .gpg-id files are cryptographically protected. I<br>
think this is a lot better than simply<br>
write-protecting it on the file system level. This ensures securety when<br>
the repository is shared on a fileserver<br>
and also on a compromised machine.<br>
<br>
Aditionaly I think the .gpg-id file should contain the name, email and<br>
key-id (full length) of the keys.<br>
<br>
The .gpg-id file could also regulate who can create subdirectories and add<br>
users to these.<br>
<br>
I'd like to implement these changes, what do you think? Any Ideas or<br>
improvements?<br>
_______________________________________________<br>
Password-Store mailing list<br>
<a href="mailto:Password-Store@lists.zx2c4.com" target="_blank">Password-Store@lists.zx2c4.com</a><br>
<a href="http://lists.zx2c4.com/mailman/listinfo/password-store" rel="noreferrer" target="_blank">http://lists.zx2c4.com/mailman/listinfo/password-store</a><br>
</blockquote></div>