[Freedombox-discuss] Creating Box Identity Keys
Charles N Wyble
charles-lists at knownelement.com
Mon Dec 10 01:51:30 UTC 2012
Why not just generate high amounts of entropy on a constant basis? Create the keys when the user account gets created? That's the approach we (Free Network Foundation) are taking with the AutoTunnel system.
Nick Daly <nick.m.daly at gmail.com> wrote:
>For the FBX to be able to enforce identity standards, we need to
>guarantee that SSH and PGP keys are available on for each user (in the
>users group) on boxen at all times. This can be enforced by a simple
>cron job that scans each user's home directory every hour or so and
>creates the keys users need if they don't exist. To do that, we'd need
>to get the information we need to create the key from the user ahead of
>time and pass it into the key creation tool.
>
>The good news is that, if we do this sort of key creation in the
>background, over time, we don't get hung up on the fact that we don't
>have enough entropy when the box boots: keys will be continuously
>created as entropy becomes available. This'll consume a lot of
>entropy,
>so it's good that we only need to do it once per user.
>
>- Do we need other types of keys?
>
>- How does "gpg --gen-key --batch" work?
>
>- Does the entire structure work at all? What complications am I
> missing? The locking might be a bit tricky, but hardly impossible.
>
>Nick
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Freedombox-discuss mailing list
>Freedombox-discuss at lists.alioth.debian.org
>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20121209/6d0a127a/attachment.html>
More information about the Freedombox-discuss
mailing list