From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, URIBL_DBL_BLOCKED_OPENDNS,URIBL_ZEN_BLOCKED_OPENDNS autolearn=ham autolearn_force=no version=3.4.4 Received: from txout-a3-smtp.messagingengine.com (txout-a3-smtp.messagingengine.com [103.168.172.226]) by inbox.vuxu.org (Postfix) with ESMTP id B30E72B181 for ; Wed, 31 Dec 2025 05:31:20 +0100 (CET) Received: from localhost.localdomain (phl-topicbox-02.internal [10.202.2.220]) by mailtxout.phl.internal (Postfix) with ESMTP id 68C7E1C02BD for ; Tue, 30 Dec 2025 23:31:19 -0500 (EST) ARC-Authentication-Results: i=2; topicbox.com; arc=pass; dkim=pass (2048-bit rsa key sha256) header.d=quintile.net header.i=@quintile.net header.b=Rxh5sEIA header.a=rsa-sha256 header.s=mythic-beasts-k1 x-bits=2048; dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=quintile.net; spf=pass smtp.mailfrom=steve@quintile.net smtp.helo=mx1.mythic-beasts.com; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (message has been altered)) (Message modified while forwarding at Topicbox) ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=content-type:content-transfer-encoding:from :mime-version:subject:date:message-id:references:in-reply-to:to :list-help:list-id:list-post:list-subscribe:reply-to :list-unsubscribe; s=sysmsg-1; t=1767155479; bh=YWyghK0g5FDeXnMn jZSC38ZvNXbMHFxl1RmwphY7Olk=; b=rEGO+UZ1FZljjl3n+GRNz2+EYSCe4yOa nu2D/zRzcTlIZAGXyLpOErqXi1tFEuyfCEDnVUVorcz3yDOoSTDRsDAIJYPJ+ydk /q5AAemxanm3qMJYPDt3V4GgKguj8GKb0mUnVZkhsvS8h3s1tqzQPaF5ADRinrns M7JACGiqK/8= ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=topicbox.com; s=sysmsg-1; t= 1767155479; b=omTMHFaNNb+dgikbinjTYAGbrilxHaUmARBH/DdqLrt7fNU0Y7 /zi1VEgDyQw+/S6+wt8xvEOHwQ30rvpWp9IXFN0K5I88oNE3sALjxqwjdz8dwBTp bfbL1NL5qU1gLKJCxi2jgtNekJpcsRZw3yKHDeD2jd3TeRSjmUWANT4Cg= Authentication-Results: topicbox.com; arc=pass; dkim=pass (2048-bit rsa key sha256) header.d=quintile.net header.i=@quintile.net header.b=Rxh5sEIA header.a=rsa-sha256 header.s=mythic-beasts-k1 x-bits=2048; dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=quintile.net; spf=pass smtp.mailfrom=steve@quintile.net smtp.helo=mx1.mythic-beasts.com; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (message has been altered)) (Message modified while forwarding at Topicbox) X-Received-Authentication-Results: authmilter.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC did not pass); dkim=pass (2048-bit rsa key sha256) header.d=quintile.net header.i=@quintile.net header.b=Rxh5sEIA header.a=rsa-sha256 header.s=mythic-beasts-k1 x-bits=2048; dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=quintile.net; iprev=pass smtp.remote-ip=46.235.224.141 (mx1.mythic-beasts.com); spf=pass smtp.mailfrom=steve@quintile.net smtp.helo=mx1.mythic-beasts.com; x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass smtp.helo=mx1.mythic-beasts.com policy.ptr=mx1.mythic-beasts.com; x-return-mx=pass header.domain=quintile.net policy.is_org=yes (MX Records found: mx.mythic-beasts.com); x-return-mx=pass smtp.domain=quintile.net policy.is_org=yes (MX Records found: mx.mythic-beasts.com); x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=9fans.net; h= content-type:content-transfer-encoding:from:mime-version:subject :date:message-id:references:in-reply-to:to:list-help:list-id :list-post:list-subscribe:reply-to:list-unsubscribe; s=dkim-1; t=1767155479; x=1767241879; bh=WMUNrMsb9TJYgFLoAL+p8706UqUW54qn F1BvIRVhzgw=; b=FxVPc5LSSHWW0NCAF0oHH6RwQDWxUjF8dce/UEGimPck8shP A/Mxqk/4vHNvlHYtdaX6b2yLRrzitxktMYg5Fwc2IZ6zBwU56+6WEZqFScWUll4U WMqq89LRyS8+TL4JogjiwAVdoasl+MwCboDbyDZVo6OKFPOO1/rvU0pbXn4= Received: from authmilter.topicbox.com (unknown [172.17.0.1]) by mx.topicbox.com (Postfix) with ESMTP id 6EA834D80027 for <9fans@9fans.net>; Tue, 30 Dec 2025 23:24:39 -0500 (EST) Received: from mx.topicbox.com (172.17.0.1 [172.17.0.1]) by authmilter.topicbox.com (Authentication Milter) with ESMTP id F4306DE7A24; Tue, 30 Dec 2025 23:24:39 -0500 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1767155079; b=AtBDLeP7ypYuVk2IQ7+3JF1NRd8uwswvzGtdhGKp4PNtLDcBQA ex2HMdI05MX4cSht6IcB4JD4AydXwazE/J+oDH/3FuxuJ9GdXUuL/ESTRywbXl1q Ws7m89SnE+YYeXEub3soE5NmRv0+liq2VtIolKmM1jKPdgAmB8vxLSC1sODvcRL+ nFz6K+iUd4DZPUlDM0ysA1+i8X52nwC2GbAGy2zuZMKWXSwRZ+Ng/xp5BWoH55VO tkyRb0MHXpVe0M+wfCrJZ+jHNeDEO+59I1sKiyvzEC8tIzKaqYOUuYa5UxYzYihy ZAIVSvivnvX8EBlL5HnIkWW3E86OvGjOf2JA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=content-type:content-transfer-encoding:from :mime-version:subject:date:message-id:references:in-reply-to:to; s=arcseal; t=1767155079; bh=/55AjlDBEg2UdQf6ISVexN5o+TJ3TDzKwEB h9jvNX+s=; b=Vs4lfLq2jTR8w7Q5SwhAGYVtcGnul3tkYjDvcFRYXRQVpDZ3phV bi39E+qn/L5OIqYlqIc1VWoPnT+E/LQ2D03HZBRt1L01LbcFixAGW/P7uNXgkhjD X9KJyy3d0indf645ARWPQkEApsT5XhRcIMZfREBfweuMkM+54Jc9AmNWGxFb7ek9 LpAJmD7bLrUFDQY37DlrDmmZRmWjkNt8bIyRnRq7zmTvJBOAmWH1e/lhWRMt6Ztb NVIvIN+rUCAdvO3iN7TTY9RI7clG6Qd1NII+i9DowSLzyyrQFiTt4hOua85bkAyZ MF1adTpw+VNiGFBbApgnVS+QntPKoXdyQGg== ARC-Authentication-Results: i=1; authmilter.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC did not pass); dkim=pass (2048-bit rsa key sha256) header.d=quintile.net header.i=@quintile.net header.b=Rxh5sEIA header.a=rsa-sha256 header.s=mythic-beasts-k1 x-bits=2048; dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=quintile.net; iprev=pass smtp.remote-ip=46.235.224.141 (mx1.mythic-beasts.com); spf=pass smtp.mailfrom=steve@quintile.net smtp.helo=mx1.mythic-beasts.com; x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass smtp.helo=mx1.mythic-beasts.com policy.ptr=mx1.mythic-beasts.com; x-return-mx=pass header.domain=quintile.net policy.is_org=yes (MX Records found: mx.mythic-beasts.com); x-return-mx=pass smtp.domain=quintile.net policy.is_org=yes (MX Records found: mx.mythic-beasts.com); x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdekudelfecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurheptgfghf ggufffkfhfjgfvofesthhqmhdthhdtjeenucfhrhhomhepufhtvghvvgcuufhimhhonhcu oehsthgvvhgvsehquhhinhhtihhlvgdrnhgvtheqnecuggftrfgrthhtvghrnhepfeefte evffehfeekffeiiedufeegleevjeelvddvtdfhvddutefgueegueejjeefnecuffhomhgr ihhnpehtohhpihgtsghogidrtghomhenucfkphepgeeirddvfeehrddvvdegrddugedune cuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgeeirddvfeehrddv vdegrddugedupdhhvghlohepmhiguddrmhihthhhihgtqdgsvggrshhtshdrtghomhdpmh grihhlfhhrohhmpeeoshhtvghvvgesqhhuihhnthhilhgvrdhnvghtqedpnhgspghrtghp thhtohepuddprhgtphhtthhopeeolehfrghnsheslehfrghnshdrnhgvtheq X-ME-VSScore: 0 X-ME-VSCategory: clean Received-SPF: pass (quintile.net: Sender is authorized to use 'steve@quintile.net' in 'mfrom' identity (mechanism 'include:_spf.mythic-beasts.com' matched)) receiver=authmilter.topicbox.com; identity=mailfrom; envelope-from="steve@quintile.net"; helo=mx1.mythic-beasts.com; client-ip=46.235.224.141 Received: from mx1.mythic-beasts.com (mx1.mythic-beasts.com [46.235.224.141]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx.topicbox.com (Postfix) with ESMTPS for <9fans@9fans.net>; Tue, 30 Dec 2025 23:24:38 -0500 (EST) Received: by mailhub-cam-d.mythic-beasts.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vanlE-0090No-1W for 9fans@9fans.net; Wed, 31 Dec 2025 04:24:37 +0000 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable From: Steve Simon Mime-Version: 1.0 (1.0) Subject: Re: [9fans] Solo factotum Date: Wed, 31 Dec 2025 17:24:20 +1300 Message-Id: <8716F627-36EE-445A-B4B4-754C9136596E@quintile.net> References: <082BB1F6719955832AA636A1DF46A15E@eigenstate.org> In-Reply-To: <082BB1F6719955832AA636A1DF46A15E@eigenstate.org> To: 9fans <9fans@9fans.net> X-Mailer: iPhone Mail (23B85) X-BlackCat-Spam-Score: 4 Topicbox-Policy-Reasoning: moderate: sender is a member; group holds all messages Topicbox-Message-UUID: 9fc424bc-e600-11f0-9e25-1afb6bc11ef0 Archived-At: =?UTF-8?B?PGh0dHBzOi8vOWZhbnMudG9waWNib3guY29tL2dyb3Vwcy85?= =?UTF-8?B?ZmFucy9UYTYwNzUyNjYzZmYwODQ0OC1NNGMzZDA2MjAzOTg4ZWFmYTRmNmE5?= =?UTF-8?B?MDMwPg==?= List-Help: List-Id: "9fans" <9fans.9fans.net> List-Post: List-Software: Topicbox v0 List-Subscribe: Precedence: list Reply-To: 9fans <9fans@9fans.net> List-Unsubscribe: , Topicbox-Delivery-ID: 2:9fans:437d30aa-c441-11e9-8a57-d036212d11b0:522be890-2105-11eb-b15e-8d699134e1fa:M4c3d06203988eafa4f6a9030:1:1UFsv2EXc7a8mo4nkjrV-2K_kNswa960o04C7jtM0PY when i used plan9 full time i kept a usb stick containing my encrypted secr= ets (in factotum format) plugged into my terminal. i added a clause to my profile to prompt for the password to decrypt it and= push the text (via read -m) into /mnt/factotum/ctl. (all from memory, so it may be inexact) how would the proposed device improve on this? - honest question. -Steve > On 31 Dec 2025, at 1:14=E2=80=AFpm, ori@eigenstate.org wrote: >=20 > =EF=BB=BFy'all are reinventing a TPM. >=20 > Quoth sirjofri via 9fans <9fans@9fans.net>: >> 30.12.2025 19:22:13 Dworkin Muller : >>> Alternatively, just set it up as a secret store, like is done with >>> terminals. Not quite as elegant/cool, but perhaps more practical. >>=20 >> In general, you're right. However the big difference (and why I think th= ere's a solid use case for a factotum key) is that the machine that runs fa= ctotum has to be secure. If you have a terminal with its own factotum progr= am, that's fine. The program is on a trusted machine. However, if your term= inal boots off a fs, you have to trust the factotum program on that fs to n= ot steal your keys when executed. If you run factotum in a remote session, = you have to trust the server. If you have a single enclosed factotum key an= d no way for the host to download the secrets directly, then you can use it= even on an untrusted machine. >>=20 >> Sure, you still need a way to edit the keys. Maybe a specific mount acce= ss using an additional secret for editing or something similar could be inv= ented. >>=20 >> In any case, I think for a fully trusted environment you probably don't = need a factotum key. I think the whole factotum and secstore stuff is built= around this level of trust (you trust the grid). If you consider a public = grid with multiple users and people who sign in as guests, I'd prefer to no= t have my secrets uploaded into the memory of a machine that I can't contro= l myself, if possible. And people do set up grids like that. That's why I w= elcome experiments into that direction. Not to replace the current status q= uo, but to extend it in a compatible way for different use cases. >>=20 >> sirjofri ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/Ta60752663ff08448-M4c3d0= 6203988eafa4f6a9030 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription