[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #34123 [Internal Services/Tor Sysadmin Team]: Provide secrets/passwords management for Tor Browser Nightly signing
#34123: Provide secrets/passwords management for Tor Browser Nightly signing
-------------------------------------------------+-------------------------
Reporter: sysrqb | Owner: tpa
Type: project | Status:
| needs_information
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):
* status: new => needs_information
Comment:
after a discussion about this on IRC, I am not sure we can help you on
this. as detailed in #29677, we currently have *many* password management
mechanisms. the one that could be exposed on servers (through Puppet)
would be Trocla, as you correctly identified there.
but the way that works is that Trocla holds the secret (or just the hashed
version!) on the puppetmaster and deploys the secret (or just the hash!)
on the nodes. so, in effect, it does not *really* solves your problem
here: what you would need, I suspect, is either a hardware token, or
manage those secrets on your own.
i'm not sure I understand what you expect TPA to do in this specific case.
i hear, from the IRC discussion, that you are worried about that knowledge
being in only one or two person's heads, but the solution for this is
having clear and reliable documentation, alongside training, which seems
to me to be more a social than technical problem at this stage.
that said, I am happy to share the burden of storing possible secrets with
the team if you are worried about losing them. we can do that in the TPA
password manager or, if we need automatic generation and management, in
Trocla.
i would definitely need more information about how all this works before
going forward, however, so feel free to detail where I got this wrong or
how things actually work, either here or in private (nextcloud, encrypted
pgp email or private git repositories all work).
thanks!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34123#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs