On Tue, Jan 26, 2016 at 1:23 PM, Lenz Weber <[email protected]> wrote: > Adding something new may be fine, although I have no say in what is going > to be accepted and the mainainer is not often seen around here. > But I can tell you with high certainty that a change like this, which > breaks pass in the way it worked before (and a lot of tools are relying on > that behaviour) will not get accepted. >
Sure. I can understand that much. But I did say that it just a "proof of concept" implementation yet and it has still to be refined. Your feedback and help is wellcome. > > On the topic why you are introducing all this, I'm not convinced it would > be a good idea. Your reasons are that it is "easier, stronger and simpler". > Easier and simpler may apply, but the selling point of pass is that it is > a console password manager with a gpg backend. People looking for pass want > to use gpg - and symmetric encrption is, at best, an edge case of gpg usage. > OK, it was sold to me as a command-line password management tool, and I did not even understand initially why it has to mess with gpg private keys and make things so complicated unneccessarily. Cutting the private keys out of the loop makes it simpler for people like me, who just want to keep personal passwords, not sharing them with other people, etc. Maybe there are other command-line tools more suitable, but I am not aware of them yet. > > Stronger: I do not agree with you. The only way to make it stronger would > be a passphrase that is longer than your asymetric private key. I don't > believe anyone uses a passphrase that is >4096 bits long. The weakest part > is always the passphrase. > Maybe you are right about this. I have just read somewhere that symmetric encryption is stronger than asymmetric encryption, but maybe it assumes that the keys are of the same size. > But in the asymmetric scenario, an attacker would need the passphrase AND > the key file. In the symmetric scenario, he just needs your passphrase. > If they have your encrypted password files, most probably they also have your private keys. At least for most of the people, who are not using smartcards, yubikey, nitrokey, etc. (I am one of them). So, the security remains up to the passphrase is both cases (asymmetric scenario is not stronger). But I don't suggest removing the asymmetric scenario. For the cases when it is needed (having a smartcard, having to share passwords with other people, etc.) it is great, and I do think that this makes password-store an enterprise-grade software (even though it is such a small and simple script). Regards, Dashamir
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
