I propose that the .gpg-id file should be signed, otherwise in a shared environment somebody could simply add their key-id to the file and all the entries created after that would be readable for that person, without the knowledge of the creator.
The key-id of the signer of any .gpg-id files must be in the .gpg-id file of the parent directory. If the parent directory has not got a .gpg-id file its parent or eventually the .gpg-id file of the root folder will be used. The key-ids in the .gpg-id file of the root folder are the highest in the trust chain, they are the admins of the repository. Every user of the repository signs the root .gpg-id file and therefore trusts the admins. When a users uses the repo for the first time (or the root .gpg-id file changes) they will be prompted the list of admins (email and key-id ideally). The user can than chose to trust the admins and sign .key-id file. This ensures that all th .gpg-id files are cryptographically protected. I think this is a lot better than simply write-protecting it on the file system level. This ensures securety when the repository is shared on a fileserver and also on a compromised machine. Aditionaly I think the .gpg-id file should contain the name, email and key-id (full length) of the keys. The .gpg-id file could also regulate who can create subdirectories and add users to these. I'd like to implement these changes, what do you think? Any Ideas or improvements? _______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
