Page MenuHome GnuPG

Kleopatra: Signed group definition
Open, NormalPublic

Description

Since we are now considering sharing groups over a directory service we need to ensure that there can be a rights management implmented about who should be able to add or remove users from a group. For that we need at least the identity of the certficate that modified the group.

We have decided that we do not need to sign the actual keys contained in that file, since esp. with the availability of the Direcotry service we do not need to store the actual keys in the group definition.

My suggestion would be add the signature also as a key/value pair with a Base64 representation of the binary signature (I think a QByteArray is stored in base64? )
And to build the signature over the Key/Value pairs of the other entries of this group. This seems to me the most future proof when we might add more meta information (like uids?!) to the group information.

So something likepseudocode:

QByteArray signature = group.read("Signature").toByteArray();
QByteArray data;
foreach (key: group.keys().sorted()) {
   if (key == "Signature")
       continue;
   data += key.toUtf8();
   data += group.value().toByteArray();
}
verify (data, signature);

Event Timeline

aheinecke triaged this task as Normal priority.Mon, Sep 4, 12:47 PM
aheinecke created this task.