Re: [Inkscape-board] Keys and Passwords
On Tue, Dec 03, 2013 at 01:56:56PM -0500, Martin Owens wrote:
Dear Inkscape Board,
See attached for kickstarter keys, feel free to update email address, delete account, or just save the account for some future event.
Thanks. I think we need to standardize the process for how to hold and share keys and other authentication information. But I don't know how to best handle this. I've asked Kees Cook for advice on best practices. If anyone else knows how other projects do this, do share.
The DNS request for inkscape.org should include a webadmin@...66... redirect and maybe a board@...66... address to contact the board when needed (if not already setup).
Use inkscape-board@lists.sourceforge.net, but ideally the board should only very rarely need to be contacted.
Let me know if you'd like one of these osl servers to handle that sort of thing or if you have something setup already.
For webadmin@...66..., I think you can set up redirects through OSL as you see fit. (If anyone disagrees, chime in now...)
Best Regards, Martin Owens
inkscape-devel@lists.sourceforge.net lx.LI.v/50mFA
On Fri, 2013-12-20 at 19:32 -0800, Bryce Harrington wrote:
On Tue, Dec 03, 2013 at 01:56:56PM -0500, Martin Owens wrote:
Dear Inkscape Board,
See attached for kickstarter keys, feel free to update email address, delete account, or just save the account for some future event.
Thanks. I think we need to standardize the process for how to hold and share keys and other authentication information. But I don't know how to best handle this. I've asked Kees Cook for advice on best practices. If anyone else knows how other projects do this, do share.
One solution would be to use something like Lastpass. Their Enterprise version supports these type of use-cases. It seems a bit expensive for us, but they have been OSS friendly in the past.
https://lastpass.com/enterprise/
Ted
On 23-12-2013 15:25, Ted Gould wrote:
On Fri, 2013-12-20 at 19:32 -0800, Bryce Harrington wrote:
On Tue, Dec 03, 2013 at 01:56:56PM -0500, Martin Owens wrote:
Dear Inkscape Board,
See attached for kickstarter keys, feel free to update email address, delete account, or just save the account for some future event.
Thanks. I think we need to standardize the process for how to hold and share keys and other authentication information. But I don't know how to best handle this. I've asked Kees Cook for advice on best practices. If anyone else knows how other projects do this, do share.
One solution would be to use something like Lastpass. Their Enterprise version supports these type of use-cases. It seems a bit expensive for us, but they have been OSS friendly in the past.
I was about the propose Lastpass. I use Lastpass and it's been great so far. But I don't know how it works with multiple persons. I don't know how other projects solve this problem. To me it sounds a good topic for asking the Conservancy.
regards, Johan
On Wed, Jan 08, 2014 at 08:59:48PM +0100, Johan Engelen wrote:
On 23-12-2013 15:25, Ted Gould wrote:
On Fri, 2013-12-20 at 19:32 -0800, Bryce Harrington wrote:
On Tue, Dec 03, 2013 at 01:56:56PM -0500, Martin Owens wrote:
Dear Inkscape Board,
See attached for kickstarter keys, feel free to update email address, delete account, or just save the account for some future event.
Thanks. I think we need to standardize the process for how to hold and share keys and other authentication information. But I don't know how to best handle this. I've asked Kees Cook for advice on best practices. If anyone else knows how other projects do this, do share.
One solution would be to use something like Lastpass. Their Enterprise version supports these type of use-cases. It seems a bit expensive for us, but they have been OSS friendly in the past.
I was about the propose Lastpass. I use Lastpass and it's been great so far. But I don't know how it works with multiple persons.
Looks like there is an Enterprise version, which costs $24 per person. So, like $200/yr for ~8 accounts. There's a trial option for free, but don't know how long that runs.
I don't know how other projects solve this problem. To me it sounds a good topic for asking the Conservancy.
Poking around, looks like a common approach is to stick a gpg encrypted file into a git repository, using each person's gpg key when signing it. That way everyone has their own private password for accessing the data, and adding or removing a person just involves re-encrypting it and adding or dropping them from the signatures list.
Simple explanation: http://blog.bogosity.se/2011/01/12/managing-passwords-using-gnupg-git-and-em...
More detailed: https://enter2exit.wordpress.com/2011/03/01/managing-passwords-with-vimgpggi...
The Debian project uses a variation on this, which uses 'subkeys': https://wiki.debian.org/subkeys
I experimented with this (via the first link) and it looks straightforward enough, at least once you have your gpg key set up. We'd just need to do a key exchange with each other to start.
Bryce
On Wed, Jan 08, 2014 at 12:40:38PM -0800, Bryce Harrington wrote:
On Wed, Jan 08, 2014 at 08:59:48PM +0100, Johan Engelen wrote:
I don't know how other projects solve this problem. To me it sounds a good topic for asking the Conservancy.
Poking around, looks like a common approach is to stick a gpg encrypted file into a git repository, using each person's gpg key when signing it. That way everyone has their own private password for accessing the data, and adding or removing a person just involves re-encrypting it and adding or dropping them from the signatures list.
Simple explanation: http://blog.bogosity.se/2011/01/12/managing-passwords-using-gnupg-git-and-em...
More detailed: https://enter2exit.wordpress.com/2011/03/01/managing-passwords-with-vimgpggi...
The Debian project uses a variation on this, which uses 'subkeys': https://wiki.debian.org/subkeys
I experimented with this (via the first link) and it looks straightforward enough, at least once you have your gpg key set up. We'd just need to do a key exchange with each other to start.
Bryce
Since there's been no objections I've decided to experiment a bit more with this, and set up a bzr repo at lp:~inkscape.admin/+junk/admin-docs with the gpg encrypted password file.
There's a README in there with some directions sketched in if anyone wants to follow along with me.
Bryce
participants (3)
-
Bryce Harrington -
Johan Engelen -
Ted Gould