[OT] Multi-user hierarchical password management via pki

Hubert Kario hka at qbs.com.pl
Fri Jul 27 14:50:40 CEST 2012


On Friday 27 of July 2012 13:46:02 Sven Ulland wrote:
>  * Revoking access for users that either leave or switch groups, would 
>  mean
>    having to re-encrypt all entries where the user had access (and 
>  remove
>    entries where the user had sole access). Without an all-knowing 
>  arbiter,
>    this could also easily be a showstopper.

If you have PKI it's easy.

All people that have access to an entry have this entry symmetric key 
encrypted using their public key.

To change the symmetric key, you decrypt, select new key, encrypt key with 
public keys of all people that had access to the entry in the first place. It 
is no different than changing the data inside the entry...

It requires usage of cryptographic primitives, not simple wrapers aroung gpg 
but it's completely doable.

Regards,
-- 
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2237 bytes
Desc: not available
URL: </pipermail/attachments/20120727/ba733bd9/attachment.bin>


More information about the Gnupg-users mailing list