Re: Determining key permission bits

[Andy Lutomirski <luto@amacapital.net>]

On Fri, Dec 20, 2013 at 6:22 PM, Colin Percival <cperciva@tarsnap.com> wrote:
> On 12/20/13 08:51, Andy Lutomirski wrote:
>> FWIW, ls -l does give some hint -- keys with fewer permissions seem to
>> be smaller.
>
> Yes, this is generally correct, although there can be confounding factors -- if
> a key file is passphrase-protected then it will be larger than a file with the
> same keys but no encryption.
>
>> Also, it would be nice if there was a way to revoke or rotate the delete key.
>
> Hmm, interesting idea.  I wonder what credentials should be used to authorize
> a key-rotation request...
>

Nuke, at least, should be sufficient :)

Alternatively, have a new rekey credential, which is initially equal
to delete or perhaps nuke.  Then allow (rekey, cred) to rotate cred.

--Andy

> --
> Colin Percival
> Security Officer Emeritus, FreeBSD | The power to serve
> Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
>



-- 
Andy Lutomirski
AMA Capital Management, LLC