From: Ted Zlatanov <tzz@lifelogs.com>
To: emacs-devel@gnu.org
Cc: ding@gnus.org
Subject: netrc field encryption in auth-source (was: Opportunistic STARTTLS in smtpmail.el)
Date: Sun, 05 Jun 2011 10:11:11 -0500 [thread overview]
Message-ID: <87wrh0fh4g.fsf_-_@lifelogs.com> (raw)
In-Reply-To: <m3ei3a8tth.fsf@quimbies.gnus.org>
(xposted to the Gnus mailing list and thread subject changed, finally)
On Fri, 03 Jun 2011 23:54:18 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote:
LMI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> We'd associate a passphrase with the file, not each piece. It should be
>> just like using a fully encrypted file, with the same passphrase caching
>> mechanism if symmetric encryption is used.
LMI> Yeah, that was what I was thinking, too. If you've given the GPG
LMI> password to decrypt the IMAP password, it wouldn't be necessary to
LMI> repeat that to get the NNTP password.
LMI> So there would be the same amount of GPG passwords with plain-text gpg:
LMI> tokens as with the fully-encrypted .authinfo.gpg file. The main
LMI> functional difference is that with the plain-text file you don't have to
LMI> give the GPG password immediately to see whether you even have a token
LMI> that matches your search criteria.
On Fri, 03 Jun 2011 23:50:11 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote:
LMI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> I understand. But it sucks from the `auth-source-search' perspective
>> because now every secret blob has to be decoded to find out if it has
>> tokens X or Y when the search spec requires X or Y. So I'm against it.
LMI> True, I didn't think of that. Then I think your idea for this makes
LMI> most sense, and please go ahead and implement it. :-)
OK, I will implement it like so in the netrc backend:
key1 val1 key2 gpg:hexdata key3 gpg:hexdata
Where hexdata encodes "((secret "thesecret") (salt "thesalt"))"
The decoding will happen late, probably in the funcall to obtain the
secret (and it will set some scoped variables to cache the data). That
may be a little surprising to the user but it's the most secure
approach, I think.
If a user puts gpg: tokens in a .gpg file, I'll let them.
The creation process will by default create plaintext data, but maybe I
will add a y/n prompt for "secret" and "password" tokens to save them
encrypted. I'm not sure yet, I need to try the process.
Is there a decent cipher that's built into Emacs, as a fallback if GPG
is not installed and usable? I don't see one.
Thanks
Ted
next prev parent reply other threads:[~2011-06-05 15:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <m3ipu4u7bv.fsf@quimbies.gnus.org>
[not found] ` <87d3kal0za.fsf@lifelogs.com>
[not found] ` <jwvfwp6xmr0.fsf-monnier+emacs@gnu.org>
[not found] ` <874o5mky4o.fsf@lifelogs.com>
[not found] ` <m3oc3mb68s.fsf@quimbies.gnus.org>
[not found] ` <m3bozm9j08.fsf@quimbies.gnus.org>
[not found] ` <m3tyde83o9.fsf_-_@quimbies.gnus.org>
[not found] ` <8762ptue8r.fsf@lifelogs.com>
[not found] ` <m3ei4hlyih.fsf@quimbies.gnus.org>
[not found] ` <87k4e8ucw3.fsf@lifelogs.com>
[not found] ` <87y62nak0m.fsf_-_@lifelogs.com>
[not found] ` <m3sjsvajrb.fsf@quimbies.gnus.org>
[not found] ` <87pqnzair7.fsf@lifelogs.com>
[not found] ` <m339kv8n7d.fsf@quimbies.gnus.org>
[not found] ` <87hb9bdz1v.fsf@lifelogs.com>
[not found] ` <87vcxk7vt4.fsf@stupidchicken.com>
[not found] ` <87y62gb0xq.fsf@lifelogs.com>
[not found] ` <8739knx6kj.fsf@stupidchicken.com>
2011-05-09 15:30 ` Gnus ERT tests inside Emacs (was: client certs and CRL lists for GnuTLS) Ted Zlatanov
2011-05-09 15:46 ` Gnus ERT tests inside Emacs David Engster
2011-05-09 15:58 ` Ted Zlatanov
2011-05-11 21:36 ` Ted Zlatanov
[not found] ` <m362os2cv7.fsf@quimbies.gnus.org>
[not found] ` <m3d3izlr8z.fsf@quimbies.gnus.org>
[not found] ` <87y61nnpoq.fsf@lifelogs.com>
[not found] ` <m3ei3eg2b9.fsf@quimbies.gnus.org>
[not found] ` <87fwnuacc5.fsf@lifelogs.com>
[not found] ` <m3ei3e7gr4.fsf@quimbies.gnus.org>
[not found] ` <878vtmo081.fsf@lifelogs.com>
[not found] ` <jwvboyipcmk.fsf-monnier+emacs@gnu.org>
[not found] ` <87tycamhmv.fsf@lifelogs.com>
[not found] ` <jwvoc2hohs3.fsf-monnier+emacs@gnu.org>
[not found] ` <87pqmxvfoh.fsf@lifelogs.com>
[not found] ` <jwvei3dmxh4.fsf-monnier+emacs@gnu.org>
[not found] ` <87sjrttwh8.fsf@lifelogs.com>
[not found] ` <jwvzkm0khbw.fsf-monnier+emacs@gnu.org>
[not found] ` <pknhb88txtm.fsf@this.is.really.invalid>
[not found] ` <jwvoc2gjudo.fsf-monnier+emacs@gnu.org>
[not found] ` <87wrh4b9h9.fsf@lifelogs.com>
[not found] ` <87aae05l8p.fsf-ueno@unixuser.org>
[not found] ` <87k4d4b66p.fsf@lifelogs.com>
[not found] ` <m3ei3a8tth.fsf@quimbies.gnus.org>
2011-06-05 15:11 ` Ted Zlatanov [this message]
2011-06-26 10:09 ` netrc field encryption in auth-source Lars Magne Ingebrigtsen
2011-06-27 15:43 ` GPGME (was: netrc field encryption in auth-source) Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wrh0fh4g.fsf_-_@lifelogs.com \
--to=tzz@lifelogs.com \
--cc=ding@gnus.org \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).