move TODO to doc/todo, expand a few items

1 files changed, 17 insertions, 0 deletions

diff --git a/doc/todo/remove_gpg_key_passphrase_from_backed_up_gpg_keys.mdwn b/doc/todo/remove_gpg_key_passphrase_from_backed_up_gpg_keys.mdwn
new file mode 100644
index 0000000..5a370be
--- /dev/null
+++ b/doc/todo/remove_gpg_key_passphrase_from_backed_up_gpg_keys.mdwn
@@ -0,0 +1,17 @@
+Remove gpg key passohrase from gpg keys that keysafe backs up.
+
+The reason for this is that the user may well forget their gpg key
+passphrase, and it's *weird* to restore a key with keysafe's password
+and then have it passphrase protected.
+
+The gpg key passphrase is intended only to keep a key from being used
+for a short period of time (a week or so) when the device holding it
+is known to have been compromised, so the key can be revoked.
+This doesn't really apply to keys backed up with keysafe -- if they get
+compromised somehow, the user won't know, and cracking the gpg passphrase
+should be almost trivial to an attacker who was able to break keysafe's
+password.
+
+paperkey can remove gpg key passphrases. Is there any better way?
+It might make sense for keysafe to prompt for a new gpg passphrase
+when restoring.