[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] Creating Box Identity Keys

On 10 December 2012 02:18, Nick Daly <nick.m.daly at gmail.com> wrote:

> For the FBX to be able to enforce identity standards, we need to
> guarantee that SSH and PGP keys are available on for each user (in the
> users group) on boxen at all times.  This can be enforced by a simple
> cron job that scans each user's home directory every hour or so and
> creates the keys users need if they don't exist.  To do that, we'd need
> to get the information we need to create the key from the user ahead of
> time and pass it into the key creation tool.
> The good news is that, if we do this sort of key creation in the
> background, over time, we don't get hung up on the fact that we don't
> have enough entropy when the box boots: keys will be continuously
> created as entropy becomes available.  This'll consume a lot of entropy,
> so it's good that we only need to do it once per user.
> - Do we need other types of keys?
> - How does "gpg --gen-key --batch" work?
> - Does the entire structure work at all?  What complications am I
>   missing?  The locking might be a bit tricky, but hardly impossible.

I like to use the same key for both GPG and X.509.  Forthcoming GNOME
keyrings may be able to syncronize things through PKCS11.  It's possible to
convert between the two using bouncy castle (I have some code) or maybe
monkeysphere does it too.  You also need a key for your web server, in the
case you are using a self signed cert.

> Nick
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20121210/dc543065/attachment-0001.html>

Reply to: