[pass] [PATCH] Team pass: enable multiple keys and per directory
Brian Shore
brian at networkredux.com
Wed Mar 19 18:38:59 CET 2014
On Wed, Mar 19, 2014 at 10:06 AM, Jan-Frode Myklebust
<janfrode at tanso.net> wrote:
> I agree it's a pain to distribute, and change keys, but am uncertain about if I'd want to blindly trust a keyring distributed together with the password store. Actually, even trusting the list of keyid's instead of a group name defined outside of the git repo is opening up an easy attack by changing the list of id's git-serverside to steal new passwords.
>
> The .gpg_id (or keyring) should probably be signed by someone we trust outside of the password-store before use.
Why not sign the .gpg_id files after creation as part of the init
process? Does it need to be signed by someone who doesn't use the
password store?
--
Brian Shore
Senior Systems Engineer, Security Architect
Network Redux, LLC
5200 SW Macadam Ave Ste 450
Portland, Oregon 97239
Desk: 503-274-9905 x503
More information about the Password-Store
mailing list