Comments (5)
Yup, those are good questions. I agree on requiring HTTPS, and not having an --insecure
flag (you can always curl the file down and then use it if you really want).
On 3️⃣, it's maybe a little too magic. Let's not do it for now.
from age.
1️⃣ In rage
I explicitly match on https://
to detect a URL argument, and have no plans to support plaintext HTTP.
2️⃣ It depends on what properties of TLS certificates we (or more precisely, our users) are relying on. An invalid or expired cert is effectively no different from an authentication point of view to plaintext HTTP, but it does still encrypt the keys in transit and prevents MitMing.
From a UX perspective, encrypting to a URL implies encrypting to the identity associated with that URL. It's debatable whether any TLS certificates provide a good notion of identity-binding, but assuming that domain validation is "sufficient", it seems to me like we should lean towards "fail-closed and require user to request out-of-band that URL be fixed", given the overall intent of confidentiality.
3️⃣ I decided not to implement this originally in rage
, but I'm open to doing so as long as there is good documentation ensuring it is well-known 🥁 🔔
from age.
Thanks for the input, @str4d. I agree with you on all points.
from age.
Updated the spec. Note that HTTPS recipient lists are not recursive (so they can't link to other HTTPS recipients, nor to files of course) just like file recipient lists are not recursive.
Once the spec moves to a proper man page I'll specify the format better, but it's the same as private key files: all lines must be recipients, empty, or #
comments.
from age.
(Let's move further spec discussions to the mailing list. https://groups.google.com/d/forum/age-dev)
from age.
Related Issues (20)
- Age terminates too soon on MacOS HOT 5
- Can this method be used to encrypt movie files? HOT 1
- report unexpected HOT 1
- age: error: failed to wrap key for recipient #0: test plugin: write |1: broken pipe HOT 16
- Plugin receives only one identity or recipient when there are multiple HOT 1
- failed to decrypt and authenticate payload chunk HOT 1
- Documentation bug in /README.md #encrypting-to-a-github-user HOT 2
- Support `sk-ssh` keys HOT 2
- brew install: not a tagged release HOT 1
- Specified SSH key is not eligible for claiming. Only RSA and Ed25519 keys are supported for proof generation. HOT 9
- Couldn't decrypt with that SSH key, please choose another one. HOT 1
- Couldn't decrypt with that SSH key, please choose another one. HOT 1
- Unable to claim the reward of 5000 token FLT HOT 1
- Unsupported SSH key type: ecdsa-sha2-nistp256 HOT 2
- Decryption does not create a file when data is empty HOT 1
- ssh connection to Github HOT 1
- I am the winner of the airdrop HOT 2
- unable to decrypt a proof with ssh key HOT 1
- Choco and scoop were unable to install age in windows
- Management of `Harvest Now, Decrypt Later` strategy and Post Quantum Safe Cryptography HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from age.