On Fri, 12 Feb 2016 at 15:34:27 +0100, Lachlan Gunn wrote:
> I am interested in using CAFF on an airgapped machine, which at the
> moment is somewhat non-obvious. If I can find the time, I would like to
> develop some kind of CSR-like workflow, would others be interested in this?
 
> The kind of workflow that I was thinking of would go something like this:
> 
> [connected machine]
> caff --write-csr csr.tar.gz <fingerprints>

The gzipped tarball format looks really overkill.  How about an OpenPGP
keyring (possibly armored)?  No need for caff here, gpg(1) can do this
alone:

  gpg --export <fingerprints> >/tmp/keyring.gpg

(you could also add ‘--export-options export-minimal’)
 
> [airgapped machine]
> caff --sign-csr csr.tar.gz --output csr.signed.tar.gz

Then it's just

  caff --key-file /tmp/keyring.gpg <fingerprints>
 
> [connected machine]
> caff --mail-from-csr csr.signed.tar.gz

I guess this is the most cumbersome step with the current workflow,
since one needs to export the signed keys from caff's own GNUPGHOME.
How about an option ‘--signed-key-file’ (and ‘--lsigned-key-file’ for
local sigs)?  Caff would export all signed keys in the specified file.
Then on the online machine, you could run

  caff -SR --key-file /tmp/signed-keyring.gpg <fingerprints>

-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply via email to