From: Adrian Bunk <bunk@stusta.de>
To: Kyle Moffett <mrmacman_g4@mac.com>
Cc: "Trond Myklebust" <trond.myklebust@fys.uio.no>,
"David Härdeman" <david@2gen.com>,
"David Howells" <dhowells@redhat.com>,
"Christoph Hellwig" <hch@infradead.org>,
keyrings@linux-nfs.org, linux-kernel@vger.kernel.org
Subject: Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
Date: Sat, 28 Jan 2006 01:27:41 +0100 [thread overview]
Message-ID: <20060128002741.GE3777@stusta.de> (raw)
In-Reply-To: <8155F461-1703-476B-8C5D-B834EE49905D@mac.com>
On Fri, Jan 27, 2006 at 06:35:40PM -0500, Kyle Moffett wrote:
> On Jan 27, 2006, at 17:19, Trond Myklebust wrote:
> >On Fri, 2006-01-27 at 21:41 +0100, David Härdeman wrote:
> >
> >>For example, a backup daemon which wishes to store the backup on
> >>another host using ssh. Usually this is solved by storing an
> >>unencrypted key in the fs or by providing a connection to a ssh-
> >>agent which has been preloaded with the proper key(s). Both are
> >>quite inelegant solutions. With the in-kernel support, the daemon
> >>can request the key using the request_key call, and (provided
> >>proper scripts are written), the user who controls the relevant
> >>key can supply it. This in turn means that the backup daemon can
> >>sign using the key and read its public parts but not the private key.
> >
> >...but why would you want such a daemon to live in the kernel in
> >the first place? A backup application might perhaps need some
> >kernel support in order to ensure filesystem consistency, but that
> >does not mean that moving the entire daemon into the kernel is a
> >good idea.
>
> No, the point is not to put the backup daemon into the kernel, but to
> provide a way for the backup daemon and my user process to
> communicate DSA key details without completely giving the backup
> daemon my key. I may not entirely trust the backup daemon not to get
> compromised, but with support for the kernel keyring system,
> compromising the backup daemon would only compromise the backed up
> files, not the private keys and other secure data.
And why exactly is this not solvable through a userspace daemon?
> Cheers,
> Kyle Moffett
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
next prev parent reply other threads:[~2006-01-28 0:27 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-26 21:58 [PATCH 00/04] Add DSA key type David Härdeman
2006-01-26 21:58 ` [PATCH 03/04] Add encryption ops to the keyctl syscall David Härdeman
2006-01-26 21:58 ` [PATCH 01/04] Add multi-precision-integer maths library David Härdeman
2006-01-27 9:28 ` Christoph Hellwig
2006-01-27 20:07 ` David Howells
2006-01-27 20:41 ` David Härdeman
2006-01-27 22:19 ` [Keyrings] " Trond Myklebust
2006-01-27 23:35 ` Kyle Moffett
2006-01-28 0:27 ` Adrian Bunk [this message]
2006-01-28 3:45 ` Trond Myklebust
2006-01-28 7:17 ` Kyle Moffett
2006-01-28 10:39 ` Adrian Bunk
2006-01-28 0:22 ` Adrian Bunk
2006-01-28 10:46 ` David Härdeman
2006-01-28 13:03 ` Adrian Bunk
2006-01-28 17:09 ` David Härdeman
2006-01-28 16:37 ` [Keyrings] " Trond Myklebust
2006-01-28 16:57 ` David Härdeman
2006-01-29 3:20 ` Trond Myklebust
2006-01-29 11:33 ` David Härdeman
2006-01-29 12:29 ` Adrian Bunk
2006-01-29 13:09 ` Arjan van de Ven
2006-01-29 20:05 ` Steve French
2006-01-29 20:52 ` Arjan van de Ven
2006-01-29 21:41 ` Steve French
2006-02-06 12:31 ` David Howells
2006-01-29 23:18 ` Adrian Bunk
2006-01-29 13:18 ` David Härdeman
2006-01-29 23:36 ` Adrian Bunk
2006-01-30 18:09 ` Nix
2006-01-29 16:38 ` Trond Myklebust
2006-01-29 18:49 ` Dax Kelson
2006-01-29 19:10 ` Trond Myklebust
2006-01-29 21:29 ` David Härdeman
2006-01-29 21:46 ` Trond Myklebust
2006-01-29 21:13 ` David Härdeman
2006-01-29 21:28 ` Trond Myklebust
2006-01-29 22:02 ` David Härdeman
2006-01-29 22:05 ` Trond Myklebust
2006-01-29 22:54 ` Kyle Moffett
2006-01-29 23:07 ` Trond Myklebust
2006-01-29 23:15 ` Adrian Bunk
2006-01-29 21:09 ` Pavel Machek
2006-01-26 21:58 ` [PATCH 02/04] Add dsa crypto ops David Härdeman
2006-01-26 21:58 ` [PATCH 04/04] Add dsa key type David Härdeman
2006-01-27 1:10 ` [PATCH 00/04] Add DSA " Herbert Xu
2006-01-27 7:18 ` David Härdeman
2006-01-27 20:11 ` David Howells
2006-01-27 23:22 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060128002741.GE3777@stusta.de \
--to=bunk@stusta.de \
--cc=david@2gen.com \
--cc=dhowells@redhat.com \
--cc=hch@infradead.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mrmacman_g4@mac.com \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.