From e35ba6c1e6908d013923e70f8c7ff59de5c81661 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Tue, 10 May 2016 14:07:13 -0400
Subject: [PATCH] update

---
 ..._2ccd5e75f175f09b08cee2290720fdea._comment | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 doc/todo/feature_request__58___pubkey-only_encryption_mode/comment_4_2ccd5e75f175f09b08cee2290720fdea._comment

diff --git a/doc/todo/feature_request__58___pubkey-only_encryption_mode/comment_4_2ccd5e75f175f09b08cee2290720fdea._comment b/doc/todo/feature_request__58___pubkey-only_encryption_mode/comment_4_2ccd5e75f175f09b08cee2290720fdea._comment
new file mode 100644
index 0000000000..558b037962
--- /dev/null
+++ b/doc/todo/feature_request__58___pubkey-only_encryption_mode/comment_4_2ccd5e75f175f09b08cee2290720fdea._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2016-05-10T17:59:03Z"
+ content="""
+Thinking about this some more, I think it makes sense that your friend who
+is doing the uploading is doing it from a clone of your repository.
+
+So, they could have access to the HMAC key, and could use it to encrypt
+filenames, rather than using the un-encrypted keys. filenames seems better,
+because there's no point in exposing the un-encrypted filenames to S3.
+
+So, the encryption setup on such a repository would be the un-encrypted
+HMAC key, and an indication of what gpg public key to encrypt file contents
+to.
+
+(Of course, you might choose to expose a sanitized form of your real
+repository for cloning, that's more or less empty. And could even expose
+it to the whole world if you want to let anyone use it for sending files
+to you. In this case the un-encrypted HMAC key would be a pretty open secret.)
+"""]]