From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_ZEN_BLOCKED_OPENDNS,URIBL_DBL_BLOCKED_OPENDNS, URIBL_ZEN_BLOCKED_OPENDNS autolearn=ham autolearn_force=no version=3.4.4 Received: from txout-a2-smtp.messagingengine.com (txout-a2-smtp.messagingengine.com [103.168.172.225]) by inbox.vuxu.org (Postfix) with ESMTP id 0B69E2B484 for ; Wed, 31 Dec 2025 01:14:33 +0100 (CET) Received: from localhost.localdomain (phl-topicbox-01.internal [10.202.2.219]) by mailtxout.phl.internal (Postfix) with ESMTP id C95F91C0183 for ; Tue, 30 Dec 2025 19:14:32 -0500 (EST) ARC-Authentication-Results: i=2; topicbox.com; arc=pass; dkim=pass (1024-bit rsa key sha1) header.d=eigenstate.org header.i=@eigenstate.org header.b=aVRAHE03 header.a=rsa-sha1 header.s=mail x-bits=1024; dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (message has been altered)) (Message modified while forwarding at Topicbox) ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=message-id:to:subject:date:from:in-reply-to :mime-version:content-type:content-transfer-encoding:list-help :list-id:list-post:list-subscribe:reply-to:list-unsubscribe; s= sysmsg-1; t=1767140072; bh=Cqs6IenMa5tRt5Gi59FOk4ah7eGq6Yy+oK2dX ohmW74=; b=oZdvyx12CAgMII60Ya3R6P9e6G5mvN6Rj59gOKpSDEnvX1bqdhTLk ayDP5s7fxugdg0kmcr69QQpOUlrvTv62jDoSDl6c8ATex8900CqiWr1UdS/oQeS9 x6ttexHthQ91L/iIiEMBaXqoLeVpnCZ+NvSFeHhuhR40SUetpA4q9c= ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=topicbox.com; s=sysmsg-1; t= 1767140072; b=p/f2Lao4aCXHFDBK6QyMYz8zUyL3s+EhllL3BsJQ6NXSNSmMMM EX2l6v8DXPtJd3vVSP80cNeE0H1gy+7SpuS7Qr2AyB5/ysQsvp5tIBROonQdwwyZ 82vN5wz6Y+P8ySyUh9BBT0C2pEu/objkXGzw9rdnrjk6IHxbARTMwmtac= Authentication-Results: topicbox.com; arc=pass; dkim=pass (1024-bit rsa key sha1) header.d=eigenstate.org header.i=@eigenstate.org header.b=aVRAHE03 header.a=rsa-sha1 header.s=mail x-bits=1024; dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (message has been altered)) (Message modified while forwarding at Topicbox) X-Received-Authentication-Results: authmilter.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC Policy is not at enforcement); dkim=pass (1024-bit rsa key sha1) header.d=eigenstate.org header.i=@eigenstate.org header.b=aVRAHE03 header.a=rsa-sha1 header.s=mail x-bits=1024; dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; iprev=pass smtp.remote-ip=206.124.132.107 (mimir.eigenstate.org); spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass smtp.helo=mimir.eigenstate.org policy.ptr=mimir.eigenstate.org; x-return-mx=pass header.domain=eigenstate.org policy.is_org=yes (MX Records found: nokogiri.pikopiko.org,kusuri.pikopiko.org,eigenstate.org,mail.pikopiko.org); x-return-mx=pass smtp.domain=eigenstate.org policy.is_org=yes (MX Records found: nokogiri.pikopiko.org,mail.pikopiko.org,kusuri.pikopiko.org,eigenstate.org); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=9fans.net; h=message-id :to:subject:date:from:in-reply-to:mime-version:content-type :content-transfer-encoding:list-help:list-id:list-post :list-subscribe:reply-to:list-unsubscribe; s=dkim-1; t= 1767140072; x=1767226472; bh=Cqs6IenMa5tRt5Gi59FOk4ah7eGq6Yy+oK2 dXohmW74=; b=owlx7VZsNDvyelAFreWYYTyZpu3S0NR43nMVjjDzA2wEWRePPdM DsxOrW4Sfk36qcR9P1K/oxen8mS9N4xvJoO8XEYAqy9ICtWm1DB3yUvOLw7c6dnZ KQCR7QFcSnYaiWWfoFkYWntJOfUWVGURosPG/VR4yRepEvZ7czIfBaBk= Received: from authmilter.topicbox.com (unknown [172.17.0.1]) by mx.topicbox.com (Postfix) with ESMTP id D4E9B35CD6B9 for <9fans@9fans.net>; Tue, 30 Dec 2025 18:29:40 -0500 (EST) Received: from mx.topicbox.com (172.17.0.1 [172.17.0.1]) by authmilter.topicbox.com (Authentication Milter) with ESMTP id A3629C3C832; Tue, 30 Dec 2025 18:29:40 -0500 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1767137380; b=K13/D975WKskZBCkpisKFggF0YvttrPi7afhE3dV60we/rAFuR lBAbTzv59XxRVW4I4E8yx2+XXyWR3ZGUDeMV+Iq40lS9FFtrx99kv+myeWlr4aOd laRi6OKctEy+v1684OM/H9UJRy2kcnig4S20C3mS2OtpmaIKhiOh/0xPLIUMpGz5 cWsa/Pnvf2nqR+XZaT14uSe7pLdD/pPMPCaPVMRdy0KCech3AaUGGD7xNHerBgME DFL/d0nBGBZ8y5VlCF7HxVjsAH+Ij0vCue4dd1TlyIUUbeCfETIa7dsFzxXNIUKo llU/ekiaNDe82uVTC3gI5yY9rzrQxNYpwvHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=message-id:to:subject:date:from:in-reply-to :mime-version:content-type:content-transfer-encoding; s=arcseal; t=1767137380; bh=kshdMd64L29bHYBl0h/pjnmvx1PB7VUecFYTQUNNviA=; b= CD25qZPWTk6UzU82D9CAa6gGkB/PkYUNrun6pZKIFSWggphZUFVIhyB9ov1O+43P GxUC1QFl4hmAPSrgiYHSY9engPrZZelSyIZF7xfwDK6+LH505c22PFvNSSMWiSTl bjMwBP0XfreusMqvuVHAZmgrgv9O9QmJUKFsW/XKBck4GGx7qh5YpubVe8gM8A3t IrgxjAoB5lL9f+TTT+k1OPOd6LE1W0n89+5UBQTpM5U1KvDG7c6Wyh0Nn/ekUtnA W6KYKCfh6e52simTbbPoresFdJT0FN+LuHNsVEuYNVsp+3WX8+vjRyD3RMxMssfH b7LQBzPw2Im8e2uJ0hV3nQ== ARC-Authentication-Results: i=1; authmilter.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC Policy is not at enforcement); dkim=pass (1024-bit rsa key sha1) header.d=eigenstate.org header.i=@eigenstate.org header.b=aVRAHE03 header.a=rsa-sha1 header.s=mail x-bits=1024; dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; iprev=pass smtp.remote-ip=206.124.132.107 (mimir.eigenstate.org); spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass smtp.helo=mimir.eigenstate.org policy.ptr=mimir.eigenstate.org; x-return-mx=pass header.domain=eigenstate.org policy.is_org=yes (MX Records found: nokogiri.pikopiko.org,kusuri.pikopiko.org,eigenstate.org,mail.pikopiko.org); x-return-mx=pass smtp.domain=eigenstate.org policy.is_org=yes (MX Records found: nokogiri.pikopiko.org,mail.pikopiko.org,kusuri.pikopiko.org,eigenstate.org); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdekudefgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhepkffvuf ffhfgjgggtgfesthekjedttddtjeenucfhrhhomhepohhrihesvghighgvnhhsthgrthgv rdhorhhgnecuggftrfgrthhtvghrnhepfefgveeiudfhheeiudetffevheffheejjeevhf eugefhveffledujedtveeggeffnecuffhomhgrihhnpehtohhpihgtsghogidrtghomhen ucfkphepvddtiedruddvgedrudefvddruddtjedpuddtkedriedrvdegrddvnecuvehluh hsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepvddtiedruddvgedrudefvddr uddtjedphhgvlhhopehmihhmihhrrdgvihhgvghnshhtrghtvgdrohhrghdpmhgrihhlfh hrohhmpeeoohhrihesvghighgvnhhsthgrthgvrdhorhhgqedpnhgspghrtghpthhtohep uddprhgtphhtthhopeeolehfrghnsheslehfrghnshdrnhgvtheq X-ME-VSScore: 0 X-ME-VSCategory: clean Received-SPF: pass (eigenstate.org: 206.124.132.107 is authorized to use 'ori@eigenstate.org' in 'mfrom' identity (mechanism 'ip4:206.124.132.96/28' matched)) receiver=authmilter.topicbox.com; identity=mailfrom; envelope-from="ori@eigenstate.org"; helo=mimir.eigenstate.org; client-ip=206.124.132.107 Received: from mimir.eigenstate.org (mimir.eigenstate.org [206.124.132.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.topicbox.com (Postfix) with ESMTPS for <9fans@9fans.net>; Tue, 30 Dec 2025 18:29:39 -0500 (EST) Received: from mimir.eigenstate.org (localhost [127.0.0.1]) by mimir.eigenstate.org (OpenSMTPD) with ESMTP id 2fca63aa for <9fans@9fans.net>; Tue, 30 Dec 2025 15:29:37 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=eigenstate.org; h=message-id :to:subject:date:from:in-reply-to:mime-version:content-type :content-transfer-encoding; q=dns; s=mail; b=eJnDRXUqjPVKCTKOolQ uZtmYi5jDrVEIlFO0cCo2NNbbaIWi12zPXnVwKo4kMctoVVWyTeTVfZ+1gDzDgK/ UJFvsivLe1/AyhdsKHPYX+zFdsgGTzyf7iaIkFrx1+j8rfyVMRVoS2YQozqtbzMv CoNbDVHreDh9eRVBHUEQruMM= Received: from abbatoir.orib.home (pool-108-6-24-2.nycmny.fios.verizon.net [108.6.24.2]) by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id e9901fe7 (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO) for <9fans@9fans.net>; Tue, 30 Dec 2025 15:29:37 -0800 (PST) Message-ID: <082BB1F6719955832AA636A1DF46A15E@eigenstate.org> To: 9fans@9fans.net Subject: Re: [9fans] Solo factotum Date: Tue, 30 Dec 2025 18:29:36 -0500 From: ori@eigenstate.org In-Reply-To: <54c7d3ca-7bb4-44f6-8fc6-f8bc51cdd974@sirjofri.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Topicbox-Policy-Reasoning: moderate: sender is an admin; group holds all messages Topicbox-Message-UUID: 6ad0982c-e5d7-11f0-9747-b4ee0fc0285f Archived-At: =?UTF-8?B?PGh0dHBzOi8vOWZhbnMudG9waWNib3guY29tL2dyb3Vwcy85?= =?UTF-8?B?ZmFucy9UYTYwNzUyNjYzZmYwODQ0OC1NZmUzMGU3NjdkNDM3Y2ZhYzlkYmMz?= =?UTF-8?B?NDgzPg==?= List-Help: List-Id: "9fans" <9fans.9fans.net> List-Post: List-Software: Topicbox v0 List-Subscribe: Precedence: list Reply-To: 9fans <9fans@9fans.net> List-Unsubscribe: , Topicbox-Delivery-ID: 2:9fans:437d30aa-c441-11e9-8a57-d036212d11b0:522be890-2105-11eb-b15e-8d699134e1fa:Mfe30e767d437cfac9dbc3483:1:IqUFuSCh7WtPIwZkEJl0QO6s3WkeTYBeesvorYU5iCA y'all are reinventing a TPM. Quoth sirjofri via 9fans <9fans@9fans.net>: > 30.12.2025 19:22:13 Dworkin Muller : > > Alternatively, just set it up as a secret store, like is done with > > terminals.=C2=A0 Not quite as elegant/cool, but perhaps more practical. >=20 > In general, you're right. However the big difference (and why I think the= re's a solid use case for a factotum key) is that the machine that runs fac= totum has to be secure. If you have a terminal with its own factotum progra= m, that's fine. The program is on a trusted machine. However, if your termi= nal boots off a fs, you have to trust the factotum program on that fs to no= t steal your keys when executed. If you run factotum in a remote session, y= ou have to trust the server. If you have a single enclosed factotum key and= no way for the host to download the secrets directly, then you can use it = even on an untrusted machine. >=20 > Sure, you still need a way to edit the keys. Maybe a specific mount acces= s using an additional secret for editing or something similar could be inve= nted. >=20 > In any case, I think for a fully trusted environment you probably don't n= eed a factotum key. I think the whole factotum and secstore stuff is built = around this level of trust (you trust the grid). If you consider a public g= rid with multiple users and people who sign in as guests, I'd prefer to not= have my secrets uploaded into the memory of a machine that I can't control= myself, if possible. And people do set up grids like that. That's why I we= lcome experiments into that direction. Not to replace the current status qu= o, but to extend it in a compatible way for different use cases. >=20 > sirjofri ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/Ta60752663ff08448-Mfe30e= 767d437cfac9dbc3483 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription