On 22.05.2012, at 11:58, Dirk Kastens <[email protected]> wrote:
> Hi Frank, > >> ownCloud updates the encrypted key, which is used to encrypt the files, >> every-time a user or admin changes the password. So password change is >> possible. >> But this only works for local accounts at the moment and doesn´t work with >> ldap users because we don´t get notification if a password is changed >> remotely. The only solution to solve this is to store the password locally >> and compare it with the ldap login password at the moment the user logs in >> and update the encrypted key. This would be a huge security problem >> obviously. >> >> Because of that encryption and ldap are both switched off by default >> currently. We don´t recommend that admins turn on both at the same time >> because of the reason you just mentioned. I will add a warning to the code >> about that. >> >> Sorry for the trouble. We try to improve the encryption significantly in the >> next version and we hope to find a solution for ldap users. > > OK, but I don't understand, why you use the user's password as the key. In > the encryption module of Drupal, for example, you have to enter the > encryption key in the admin menu, and it is stored in the database. Other > systems are using a hidden file for the key. But the user password is really > a bad idea, IMO Encryption is useless if you store the data and the key on the same machine. A hidden file is not inaccessible for an admin. So this doens´t give additional security to the user at all. Having a separate encryption password independently from the login password would be possible but then you break WebDAV access and even ldap integration is kind of useless if you have to type in a locally stored second password to access your files which is not in ldap centrally. So having the perfect encryption system is really tricky. There are always pros and cons for every crypto solution. In the next release we want to provide a more advanced solutions with config options to a user can choose which kind of encryption should be used. Frank _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
