From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Cc: Hartmut Goebel <h.goebel@crazy-compilers.com>, 25094@debbugs.gnu.org
Subject: bug#25094: Add comments to archive keys and acls
Date: Sun, 04 Dec 2016 00:55:58 +0100 [thread overview]
Message-ID: <87inr08t4h.fsf@gnu.org> (raw)
In-Reply-To: <20161202181351.GA30572@jasmine> (Leo Famulari's message of "Fri, 2 Dec 2016 13:13:51 -0500")
Leo Famulari <leo@famulari.name> skribis:
> On Fri, Dec 02, 2016 at 06:38:12PM +0100, Hartmut Goebel wrote:
>> Hi,
>>
>> the keys for authenticating an archive currently do not hold any
>> comment. This makes it hard to track acls and remove certain keys if
>> required.
>
> Indeed, this makes key management a little harder than it needs to be.
Agreed. The crux of the problem is that libgcrypt’s canonical sexp
parser does not recognize comments.
<http://people.csail.mit.edu/rivest/Sexp.txt> does not specify comments,
which may be the reason, but other implementations of canonical sexps
(such as lsh and Nettle) do recognize them, so we should just get
libgcrypt to follow suit.
>> Please implement some way to add and change the comment on keys in
>> /etc/guix/ and in /etc/guix/acl.
>>
>> Proposed usage when generating the key:
>> guix archive --generate-key=… --comment "store.example.com"
>>
>> Proposed usage when importing the key and overwriting any existing comment
>>
>> guix archive --authorize --comment "store.example.com"
>>
>> For now, since we have no commands for key management, these would be
>> enough IMO. Existing commenty an easily be changed in the file, so for
>> now we do not need a tool for this.
>
> I think that the comment should either be signed somehow, or the field
> name should be "untrusted-comment".
I think it’s no different than the optional comment in OpenSSH public
keys, and it should be clear that it’s free from and untrusted by
definition (the sexp syntax at least makes it clear that it’s a comment,
as opposed to the OpenSSH public key format).
Ludo’.
prev parent reply other threads:[~2016-12-03 23:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-02 17:38 bug#25094: Add comments to archive keys and acls Hartmut Goebel
2016-12-02 18:13 ` Leo Famulari
2016-12-03 23:55 ` Ludovic Courtès [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87inr08t4h.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=25094@debbugs.gnu.org \
--cc=h.goebel@crazy-compilers.com \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).