Allow stricter permissions but not looser; Change default permissions to 0400; Correct and improve `unprotected key file' message.

depot/depot.go

@@ -113,8 +113,8 @@ func (d *FileDepot) check(tag *Tag) error {
 	if err != nil {
 		return err
 	}
-	if ^fi.Mode()&tag.perm != 0 {
-		return errors.New("permission denied")
+	if fi.Mode()&^tag.perm != 0 {
+		return errors.New("unprotected key file `" + tag.name + "': file permissions too open")
 	}
 	return nil
 }

depot/pkix.go

@@ -31,8 +31,8 @@ const (
 )
 
 const (
-	BranchPerm = 0440
-	LeafPerm   = 0444
+	BranchPerm = 0400
+	LeafPerm   = 0400
 )
 
 // CrtTag returns a tag corresponding to a certificate