search

turiya / keyczar

Automatically exported from code.google.com/p/keyczar
0 stars 0 forks source link

Unreversible Key Revocations #14

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Can we do anything to ensure that the (revoked key) file can't just be
undeleted? Maybe overwrite it with zeros first, although that might not
make a difference if the current version is cached. Probably better to keep
all key material encrypted on disk using an encrypted reader.

Original issue reported on code.google.com by arkajit.dey on 6 Aug 2008 at 7:47

GoogleCodeExporter commented 9 years ago 
Ideally, all keys would be kept on disk in encrypted form. That begs the 
question of
what they're encrypted with. One idea is to have a command-line password, and 
pass it
to some "KeyczarDeriver" class. That would bootstrap a Crypter which could be 
used to
decrypt other keys.

That doesn't really solve the problem, because if your master key is 
compromised,
your encrypted key material may still get exposed. One trick might be to 
overwrite
the keys before deleting. This doesn't really do much, since they might be 
cached or
backed up elsewhere.

Original comment by stevew...@gmail.com on 7 Aug 2008 at 7:10

GoogleCodeExporter commented 9 years ago 
If Revoked became a full-fledged key lifecycle state then you could 
(optionally) 
zeroize the key value but keep a record of the fact that the key existed and 
the 
period(s) during which it was Active among other useful historical facts.  
Deleting 
the key metadata seems like the wrong way to go particularly if you might still 
have 
files holding the key value floating around.  Keeping the metadata gives you 
some 
hope of identifying these files should you come across them.  Finally, there 
might 
be situations in which you do not want to zeroize a Revoked key depending on 
what 
for what it had been used.  All IMHO, as always.

Original comment by sguth...@gmail.com on 13 Aug 2008 at 1:29

GoogleCodeExporter commented 9 years ago 
The "inactive" status should be used for keys that you want to keep around, but 
don't
want to use.

It may not be a bad idea to keep metadata around for revoked keys, although I 
can't
think what you'd do with it them. They'd essentially be tombstones: "Key #2 was
here." I suppose it wouldn't hurt.

Original comment by stevew...@gmail.com on 13 Aug 2008 at 5:27

GoogleCodeExporter commented 9 years ago 
Didn't make it into 0.5b, pushing it to 1.0.

Original comment by arkajit.dey on 20 Aug 2008 at 5:14