Red Hat Bugzilla – Bug 64989
RFE: rpm and rhmask
Last modified: 2007-04-18 12:42:36 EDT
This is a 'confirmation of conversation' piece
rhmask, if not explicitly deprecated, is de-emphasized in the present installs.
BUT: It enables a secure infrastructure (I write this, having lunched at a
national financial institution's main office, and speaking with their Open
Source Architect, a Network Security person, and an architect for a monolithic
graphical 'server' vendor LDAP variant implementation project)
rhmask is tiny. -- It could move into rpm without too much effort or size
penalty, and provide a tool for management of enciphered content.
It lacks some features: from memory, it is using a symmetric, X-or class
encipherment, based upon the hash of a pre-existent package.
-- it enciphers the entire package, rather than just the payload, rpecenting it
from being able to 'play well' with the RPM sub-payload signing and potential
-- it lacks asymmertric cipher support, adn clean PKI hooks
-- RPM is rolling in the GPL'd becrypt library
-- RPM is solving and will complete solving database 'decruftification' issues
-- RPM is solbving PKI validation and revocation, and verification issues
Distributing enciphered keyed information (as rhmask enable), will incidentally
facilitate keychain maintenance for the GPG layers.
So proposal is:
- Move rhmask into RPM
- extend rhmask with asymmetric, and PKI enabled confirmation of keys,
stale - closing