[tor-bugs] #31214 [Internal Services/Tor Sysadmin Team]: audit account-keyring
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jul 24 18:24:23 UTC 2019
#31214: audit account-keyring
-------------------------------------------------+---------------------
Reporter: anarcat | Owner: tpa
Type: task | Status: new
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+---------------------
Comment (by anarcat):
> if the key is expired, consider locking it in LDAP
This begs a few question:
1. "if a key is expired" - which key? the primary `pub` key? or any
subkey? or just authentication subkeys? it seems the "correct" one would
be "if the primary key is expired, or all authentication subkeys are
expired", but that's the kind of logic that's hard to implement outside of
GnuPG
2. how do we actually decide if we lock accounts in LDAP?
This one-liner gives us a list of expired primary keys, of which there are
currently 25 out of 92:
{{{
total=0; count=0 ; for key in *.gpg ; do if gpg --show-key < $key | grep
-q 'pub.*expired'; then echo "KEY EXPIRED:"; gpg --show-key < $key ;
count=$(($count + 1)); fi; total=$(($total + 1)); done; echo "found $count
expired keys out of $total keys"
}}}
I added it to the account-keyring repo, as part of the audit-keyring
script.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31214#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list