[pass] Signed .gpg-id file
p0intless at mailbox.org
p0intless at mailbox.org
Wed Aug 12 20:04:28 CEST 2015
I propose that the .gpg-id file should be signed, otherwise in a shared
environment somebody could simply add
their key-id to the file and all the entries created after that would be
readable for that person, without the
knowledge of the creator.
The key-id of the signer of any .gpg-id files must be in the .gpg-id file
of the parent directory. If the parent
directory has not got a .gpg-id file its parent or eventually the .gpg-id
file of the root folder will be used.
The key-ids in the .gpg-id file of the root folder are the highest in the
trust chain, they are the admins of the
repository. Every user of the repository signs the root .gpg-id file and
therefore trusts the admins.
When a users uses the repo for the first time (or the root .gpg-id file
changes) they will be prompted the list
of admins (email and key-id ideally). The user can than chose to trust the
admins and sign .key-id file.
This ensures that all th .gpg-id files are cryptographically protected. I
think this is a lot better than simply
write-protecting it on the file system level. This ensures securety when
the repository is shared on a fileserver
and also on a compromised machine.
Aditionaly I think the .gpg-id file should contain the name, email and
key-id (full length) of the keys.
The .gpg-id file could also regulate who can create subdirectories and add
users to these.
I'd like to implement these changes, what do you think? Any Ideas or
improvements?
More information about the Password-Store
mailing list