[tor-bugs] #29677 [Internal Services/Tor Sysadmin Team]: evaluate password management options
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue May 5 19:16:36 UTC 2020
#29677: evaluate password management options
-------------------------------------------------+-------------------------
Reporter: anarcat | Owner: tpa
Type: task | Status:
| assigned
Priority: Low | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by sysrqb):
Replying to [comment:5 anarcat]:
> Known password managers:
>
> * TPA has a `tor-passwords` repository which uses
[https://github.com/weaselp/pwstore/ weasel's pwstore]
> * administration also store passwords in SVN
> * Puppet generates passwords on the fly using a puppet-specific token
(this might get replaced by trocla eventually, see #30009)
> * each worker probably has their own individual password managers,
brains, and post-it notes on screens (hopefully no!) which we don't
exactly know about
* Tor Browser-related passwords:
* passphrase-protected OpenPGP signing key (package signing)
* passphrase-protected NSSDB MAR signing key (Tor Browser updates)
* passphrase-protected Windows Authenticode signing key
* passphrase-protected MacOS code signing key
* passphrase-protected Android code signing key
* user/admin accounts on macOS/linux/windows signing machines
* Google account (for publishing Android apps)
* ...
Currently, these are only shared in person (via military-grade post-
quantum encrypted point-to-point subspace transmission).
While this "works", I'd really appreciate having an easier and more fault-
tolerant way of securely sharing this information (given the importance of
keeping this information private). I don't know if such a system exists as
a solution that Tor can deploy, but that's another wish-list item of mine
:)
#34123 is related, but currently those keys are separate from the above
list.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29677#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list