Security implications of not having a passphrase?

[kornelski]

For #384 it would be super convenient to create an implicit empty CrevID for new users, without a passphrse. What are the risks?

It wouldn't suggest backing up CrevID without a passphrase, and could require adding a passphrase at some point, e.g. before publishing anything. But how much are we worried about identity at rest on local disk?

[dpc]

Backup protected by a passphrase that the user doesn't regularly use is a great way to make sure they can't restore from it when they have to.

Passphrase is most useful for export/backup protection.

But how much are we worried about identity at rest on local disk?

I guess it depends on the user. I always use LUKS full-disk encryption on all my drives, so the encrypt-at-rest of the ID is needless for me personally, I guess. And all in all it's not all that interesting attack.

I guess the biggest thread is some systemic attack, where a popular vulnerability is used to collected many unprotected IDs and then to introduce malicious dependency and hide it with fake reviews, etc.

I guess one way to approach this is to create some temporary weak-ID, without a passphrase, mark it somehow as such and allow user to locally add trust proofs, and maybe even reviews, but definitely not publish anything. When the user is ready, cargo-crev would create a completely new ID, with a proper passphrase and backup, and then rewrite all the proofs to it (the code that can do it is already there and was used to support https://github.com/crev-dev/cargo-crev/wiki/List-of-Proof-Repositories#pre-v06-repositories).

[dpc]

BTW. We could have a passphrase agent to help with having to enter the passphrase too often. It would listen on some local socket, and if not started cargo-crev would start it from scratch. The agent would listen and sign stuff, and shut itself down after certain time of inactivity.

[kornelski]

Currently the logic is this:

• If you use functionality that needs an Id before creating any CrevID, it will create an implicit CrevID with no URL and no passphrase.

• If you crate a CrevID, it will try to adopt previous implicit CrevID and add passphrase and URL to it.

• If you make a CrevID with an empty passphrase, it will tell you it's a bad idea and you should set one.

• When you set your repo URL without explicitly creating a CrevID, it will remind you to add a passphrase.

[kornelski]

On macOS I could use Keychain to either store the passphrase, or store the whole CrevID.

[dpc]

Yeah. On linuxes there are also some kind of keyrings (gnome, kde, possibly others).