tech-security: Re: BPG Security Server

Subject: Re: BPG Security Server
To: Curt Sampson <cjs@cynic.net>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-security
Date: 07/29/2005 15:12:21
--7qSK/uQB79J36Y4o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jul 26, 2005 at 10:29:09AM +0900, Curt Sampson wrote:
>=20
> So, Steven Bellovin's comments on various clients he wanted to use with
> PGP got me thinking, and it got me thinking that I just don't trust them
> with my passphrase. For stuff like that, it seems to make a lot more
> sense to implement a small, trusted "PGP server" with a console that
> would accept requests from client applications for use of keys, allow
> me to approve or deny these requests, take my password when necessary,
> act as a caching agent for my key, and so on. Essentially, I envision
> something like this:
>=20
>     * Run server, enter my password, it caches my keys.
>=20
>     * Client requests encryption of stuff, either with a given key or
>       with no particular key
>     * Server prompts me to see if client is allowed to use the encryption
>       service
>     * Server help me find the key to use, or shows key info for
>       the client-requested key, and I verify trust information and tell
>       server that it's ok to use the key
>     * Server then performs encryption for client on request, until its
>       time limit expires or I cut it off.
>=20
>     * Client requests signing of stuff
>     * Server prompts me to see if client is allowed to use the encryption
>       service
>     * Same as above re chosing keys and so on
>     * Server then performs signing for client on request, until its
>       time limit or signature count limit expires or I cut it off.
>=20
> Thoughts?

Sorry for being a bit late to the discussion, but this sounds a lot like=20
how Keychain access works in MacOS X. At least in a vague "User=20
experience" way. We should look at what other OSs have done, at least to=20
not repeat their mistakes. :-)

Take care,

Bill

--7qSK/uQB79J36Y4o
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFC6qnFWz+3JHUci9cRAnobAJ0V0XMfESoauomoPiKnH0ap9Ve2AACePPZe
fAniXMv2uuKzHEElXuiCAEc=
=lEZ6
-----END PGP SIGNATURE-----

--7qSK/uQB79J36Y4o--