Re: [Ecryptfs-devel] [PATCH] ecryptfs-utils: key escrow
On Thu, Oct 30, 2008 at 11:26:35AM -0500, Dustin Kirkland wrote: On Thu, Oct 30, 2008 at 11:18 AM, Dustin Kirkland [EMAIL PROTECTED] wrote: Also, Mike, do you have any documents, discussing the overarching design? In particular, I'm interested in the use case for key escrow The use case I have in mind is when an employee installs the workstation client and sets up his encrypted location, he is prompted with the option of seamlessly transmitting his key to a key escrow server maintained by the organization. If the user elects to use that service, then his data can be recovered by the company's IT department when he later forgets his passphrase. , and how that maps to the concerns raised in: * http://www.cdt.org/crypto/risks98/ This report addresses risks relating to government legislation mandating key escrow. I do not endorse such legislation. pgpQ5n3zltLjn.pgp Description: PGP signature - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ eCryptfs-devel mailing list eCryptfs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
Re: [Ecryptfs-devel] [PATCH] ecryptfs-utils: key escrow
On Wed, Oct 29, 2008 at 11:57 AM, Michael Halcrow [EMAIL PROTECTED] wrote: This patch makes the minimal changes necessary to enable passphrase key escrow and key recovery via a SOAP client/server mechanism. This is currently at the proof-of-concept level of implementation; there is ample opportunity to add features. You need Python and SWIG installed to build the libecryptfs SWIG component. Run key-escrow-server, and then run escrow-passphrase.py [passphrase] to escrow the key and retrieve-passphrase.py [sig] to fetch the key from the server and put it in your keyring, all via localhost. There are all kinds of opportunities to make this useful and secure, such as stunnel for client-server communications, some kind of authentication mechanism, and the ability to specify the remote server and storage location. This patch just gives a convenient base from which to flesh out a real key escrow capability. From a packaging standpoint, I think it might make sense separate the key escrow bits to a another binary package, as introducing python as a dependency is mostly unrelated to the existing ecryptfs-utils tools. I'll see what I can come up with, and run it by the Debian packager. :-Dustin - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ eCryptfs-devel mailing list eCryptfs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
