[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dupload similar for master?

On Aug 16, Tom Lees decided to present us with:
> Lalo Martins <lalo@webcom.com> wrote:
> 
> > > hmm and since the files are small...no real problem...and since you are
> > > sshed in anyway (we should hope) its not too bad giving it your
> > > pgp passphrase...
> 
> > The beautiful thing is, neither passphrase goes trough the web.
> > The pgp-signing is made in your own machine.
> 
> Hmmm, well both passphrases goes through an ssh connection. How secure do
> you think ssh is? They both also go through a program on master. How secure
> do you think master is? What about a trojan attack?

No they wouldn't. It would happen more or less as you described.
The unsigned file would be transferred to your machine, signed
in your machine and transferred back (now signed) to master. No
passphrases in the net ever.

To do the transfers, the program at master could signal the
daemon in your machine in some whay, then this daemon would scp
things down then up. So the daemon would only ask for your ssh
and pgp passphrases, sending none trough the net.

[]s,
                                               |alo
                                               +----
--
        When it feels like I'm going crazy,
     Found a cure to get me trough another day...
http://www.webcom.com/lalo      mailto:lalo@webcom.com
                 pgp key in the web page

Free Software Union       --       http://www.fslu.org
Debian GNU/Linux       --        http://www.debian.org

       The Ox project        (BADLY NEEDING HELP)
              http://www.webcom.com/lalo/ox
Reply to: