Re: gpg-agent branch treats PGP passphrase as repository password?

[ crypto student hat on ]

Stefan Sperling wrote on Sun, Oct 17, 2010 at 16:03:13 +0200:
> Retreiving a password:
> Step 1: svn contacts the gpg-agent to find out the passphrase for the
> private pgp key the agent is managing. If the agent cannot be
> contacted svn asks the user for the passphrase.
> Step 2: svn uses this passphrase to decrypt the user's PGP private key

Ideally, Subversion won't know the PGP passphrase. (If it does, then
a malicious libsvn_subr can compromise a private key.)

For comparison, the ssh-agent protocol[1] only allows a client of the
agent to authenticate himself (using the agent) to a third party, but
does not have a "Retrieve secret key" option [2]. If we are to use PGP,
could we find a solution with similar properties?

> Step 3: svn uses this private key to decrypt the password stored
> inside the ~/.subversion/auth area
> Step 4: svn sends the decrypted password to the server
>
> The GPGME library will probably help with these steps:
> http://www.gnupg.org/gpgme.html

It seems straightforward enough to use this for decryption. However,
does this library provides access control? Namely, does it allow the
end user to say "libsvn may perform decryptions, but may not export
secret keys"?

> Thanks,
> Stefan

[1] <http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.agent?rev=1.6;content-type=text%2Fplain;only_with_tag=HEAD>,
    Section 2.6 and Section 3.

[2] This is documented in ssh(1) under the -A option.
Received on 2010-12-06 13:33:33 CET