huge keyrings (was: id matching)

Brian Warner warner at lothar.com
Mon Nov 2 21:14:54 CET 1998


wk at isil.d.shuttle.de (Werner Koch) writes:
> To distribute a large keyring over a couple of disks I think it will
> also be a good idea to use some bits from the keyring to index a file.
> Using symlinks for the gdbm files should give an admin the
> possibility to put the files on different disk. 

This is only marginally related, but if you're playing with the keyring code
anyway.. I've been pondering other (read "more secure") ways to store and
retrieve the secret key material. One thing that might help open up more
mechanisms would be to add a hook to get secret keyring data by running a
program and simply gathering stdout. You could pass the keyid to the program
and it would return a (possibly armored) private keyblock. GPG uses the data
and then throws it out. I'm thinking of something like a Pilot attached to a
serial port, and then the program in question would send a request for the key
to the pilot, which would just dump some text back through the serial port. I
think this could be done with a script around the existing pilot-xfer tools in
a simple memo without having to write anything particularly clever. Anything
to avoid keeping my private keys on my system at work. And if the passphrase
could still be used on a key stored/transmitted in such a manner, all the
better. Still two factors ("thing you have" and "thing you know"), but the
"thing you have" is now something small you can take home with you at night.
A simple nvram iButton just containing data would be even smaller.

I think the ssh-style encryption-agent is the long-term way to go, but a hook
for something like this might be convenient. Something like
"add-secret-keyring-program /path/bin/program". If there were multiple
entries, call each one in order until the key is returned.

cheers,
 -Brian
  warner at lothar.com




More information about the Gnupg-devel mailing list