storing keyrings into SQL database?

David Shaw dshaw@jabberwocky.com
Fri May 23 02:23:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, May 21, 2003 at 11:33:12AM -0500, Ryan Malayter wrote:
> From: "Branko F. Grac(nar" [mailto:bfg@noviforum.si] 
> 
> ||You could certainly store keyring files in a SQL database, then
> extract
> ||them from to a unique temporary filename when need. Use random hex
> <snip>
> |Uf. This is ugly and possibly unsecure, but it's doable.
> 
> It's at least as secure as storing each user's key in a separate
> directory on the server. All you need to do is make sure your random
> temporary filename space is large enough that there are no collisions,
> your random numbers are generated well (with GnuPG itself?), and the
> user's SSL session is protected from hijacking using best practices.

Instead of storing each key with a random temporary filename, use a
filename derived from the fingerprint of the key.  It's deterministic,
plus if two keys have the same fingerprint, they are treated as the
same key for many purposes anyway.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+zWoe4mZch0nhy8kRAkTKAKCcYOymvYq6lg/SkWFIgshVCsav3gCgtALK
Zxvs+Nk7sizXupabcl4r0Eg=
=6yIy
-----END PGP SIGNATURE-----