[pass] Signed .gpg-id file

p0intless at mailbox.org p0intless at mailbox.org
Wed Aug 12 22:49:42 CEST 2015


Yes that is the plan, whenever you create a new entry you check all the
signatures of all the .gpp-id files in parent folders, and ultimately your

own signature of the root .gpg-id file. This ensures that you only encrypt
the password with the keys which are actually allowed to see them.

Signature checking overhead should not be that bad because you only
check when you create a new entry.

Changing the .pgp-id file of a subfolder is absolutely no problem, it
needs
only one signature (from the person that changed it) and the signature
can be generated automatically. 

The problem is the root .gpg-id file, it needs to be signed but there is
no
parent .gpg-id file to validate that the person singing it is actually
allowed
to do so (change the .gpg-id file).

I see two possible solutions:

1. Every user interactively confirms that he/she trusts the people/keys 
in the root .gpg-id file and therefore signs the file themselve. 
(Only needs resigning of the user when root .gpg-id file changes)

2. There is one admin key, that signs the root .gpg-id file. All users of 
the repo trust that admin. Maybe based on the PGP trust model. This
would not require everyone to sign the file.

> Emil Lundberg <lundberg.emil at gmail.com> hat am 12. August 2015 um 20:26
> geschrieben:
> 
> 
> Just for clarity: You mean that each user, before creating new
> passwords,
> would verify that there is a valid signature made by a trusted key in
> their
> own keyring?
> 
> Seems like a sound idea to me. I'm not sure an interactive introduction
> thing is necessary, though - you'll still need to re-sign the file
> whenever
> it changes (which it legitimately might), and check its integrity all
> the
> time anyway. Wouldn't it suffice to just tell the user and refuse to
> continue? That would eliminate the special case while also reducing the
> amount of metadata in the repository.
> 
> On Wed, 12 Aug 2015 20:05  <p0intless at mailbox.org> wrote:
> 
> > I propose that the .gpg-id file should be signed, otherwise in a
> > shared
> > environment somebody could simply add
> > their key-id to the file and all the entries created after that would
> > be
> > readable for that person, without the
> > knowledge of the creator.
> >
> > The key-id of the signer of any .gpg-id files must be in the .gpg-id
> > file
> > of the parent directory. If the parent
> > directory has not got a .gpg-id file its parent or eventually the
> > .gpg-id
> > file of the root folder will be used.
> >
> > The key-ids in the .gpg-id file of the root folder are the highest in
> > the
> > trust chain, they are the admins of the
> > repository. Every user of the repository signs the root .gpg-id file
> > and
> > therefore trusts the admins.
> >
> > When a users uses the repo for the first time (or the root .gpg-id
> > file
> > changes) they will be prompted the list
> > of admins (email and key-id ideally). The user can than chose to trust
> > the
> > admins and sign .key-id file.
> >
> > This ensures that all th .gpg-id files are cryptographically
> > protected. I
> > think this is a lot better than simply
> > write-protecting it on the file system level. This ensures securety
> > when
> > the repository is shared on a fileserver
> > and also on a compromised machine.
> >
> > Aditionaly I think the .gpg-id file should contain the name, email and
> > key-id (full length) of the keys.
> >
> > The .gpg-id file could also regulate who can create subdirectories and
> > add
> > users to these.
> >
> > I'd like to implement these changes, what do you think? Any Ideas or
> > improvements?
> > _______________________________________________
> > Password-Store mailing list
> > Password-Store at lists.zx2c4.com
> > http://lists.zx2c4.com/mailman/listinfo/password-store
> >


More information about the Password-Store mailing list