https://bugzilla.wikimedia.org/show_bug.cgi?id=68129
--- Comment #6 from James Alexander <[email protected]> --- (In reply to Chris Steipp from comment #5) > Storing the private key on the server does seem to defeat the purpose of > encrypting the results, unless that key is itself encrypted, or stored > somewhere that has extra controls. > > From what I can understand of the flow, if you want to keep it how you have > it, you could probably encrypt the private key with a new random password, > and then email the password to the users who are supposed to use it. > > A safer option is to have the private-key users actually do the key > generation, and then add only the public key to the poll before it starts. > That prevents attacks on getting the private key, and attacks on the key > generation process. Sorry for the delay in responding to this. First off we have two keys that need to be created here. One never needs to be sent too anyone but should definitely be automatically created and inserted into the database (this is the signing key which should be created with a comment something along the lines of "{{election name}} signing key" and the private key has to be inserted into the database. The second key is the 'encryption' key and the one we're mostly talking about here. This is the one where the public key needs to be inserted into the database but the private key should not be (until after the election). I don't think we need to get too deep in the guts here since time is more important and, in the end, this is still a highly specialized tool and a bit of manual intervention in some areas is ok because of that. This was the idea about saving it on the server, not because it would stay there (it shouldn't) but just because it was a place it could be easily pulled from. The big thing that I would like to try and avoid is the user manually creating the key themselves (using the cli tool etc) that's fine and dandy for me (and I've done it for the past couple years) but it's a strong weak point for people to screw up on or not know what to do. I want to make that as easy as possible and anything that requires them too copy and paste the key in to a form is bad for that and I think removes functionality and security from the current system rather then adding it in the end. I could be ok with a separate form (perhaps that requires a separate right) that delivers the secure key to you as a download. The email option is intriguing but I imagine then requires us to put in a config variable for what email to use or to require that the poll creator know what email it should go too (and could easily just send it to themselves and that's actually probably the default for most people just out of what you would expect). That doesn't seem incredibly future proof... tbh I'm mostly still leaning towards saving the private key somewhere as hackish but one of the better options given everything but I can understand the desire not to do that. What is the level of effort required for the options? The current copy and paste piece just doesn't meet the requirements sadly. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
