Change the Key Stupid ? Just a nice simple question.
I have previously implemented a process to generate new dsa/rsa keys for ssh and transfer them over the existing encrypted session with time interval t, the following connection will use the new keys & so forth.. The reason behind this was, if anyone robbed the private key and knew the passphrase ( in fact I had no passphrase above, and allowed any of the last 3 keys pairs to be used ), it would only be valid for a short time interval... The benefit is simple for ssh, blank passphrase private keys are useful for time interval t and no longer, gaining access to these via backups, temporary root, temporary contract etc, are of little use if time internal is sufficiently short. I have not seen this technique documented/ mentioned for ssh or any other protocols ? links & references ? or is this a case of CTKSS! ( Change the key Stupid, Stupid ) ? ..surely where there is risk of keys being copied and allowing either access, future decryption or MITM attacks with private key, it makes sense to automate the key exchange when possible ? and also to continue to have the 1-3 month manual key exchange over alternate channel. Thoughts / criticisms welcome --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]