On Tue, 2014-07-15 at 09:13 -0500, Endi Sukma Dewata wrote: > Hi, > > I've been working on the implementation details of password vault: > http://www.freeipa.org/page/V4/Password_Vault_Implementation > > There are some issues (i.e. vault password and vault key) that aren't > specifically defined in the design, so we need to make some decisions. > > Please let me know if you have any comments or questions. Thanks!
I am reading this document and there are some things I need to ask clarification for: * In "Vault password and secret key" you describe a mechanism where you store a hash of the password used to generate the secret key, why ? What's the purpose ? * Why shared vaults need to be in a /shared/ namespace ? Can't a user create a vault and then share it with other users ? Ie should the fact a vault is shared just a property that can be changed at any time ? If not, why not ? * In "Listing secrets in a vault " it seem that the metadata about various secrets is obtainable in the clear, is that so ? I am not sure it is a good idea to give blatant hints about what is being encrypted in the vault. * In "Modifying a secret" you use "ipa vault-secret-del" but you mean -mod I guess. * Why services are in the /shared/ namespace ? * The paragraph "Changing service vault password" confuses me, is it correct ? I have not fully internalized all there is there, but most of it looks quite good. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel