John Kasunich wrote:
> Jon Elson wrote:
> 
> 
>>Why do you feel these keys are such a vulnerability?  These keys 
>>can be generated specifically for LinuxCNC ONLY, and not used on 
>>any other site.  Also, they are useless for accessing anything 
>>on YOUR computer, they are generated for your computer to access 
>>outside sites only.  The only possible harm that could come from 
>>these keys is someone could spoof being you and do something 
>>malicious to the LinuxCNC repository. 
> 
> 
> No No NO!
> 
> The key you send to cradek to gain access to the CVS server is your
> PUBLIC key!   You can post your public key on your website and give
> it to every Tom, Dick, and Hacker in the world and it wouldn't matter.
> Your PRIVATE key stays on your machine.  Public key cryptography works
> by having you encrypt things with your private key, and the server
> decrypts them with the public key.  The server never sees your private
> key, but it knows that you (or someone with your PRIVATE key) sent the
> message.

Right, someone would have to crack your key (it is possible, but 
seriously unlikely someone would go to this effort) or steal it 
from your computer (probably easier) to even do the ridiculous 
example of minimal mayhem that I proposed above!  Why Paul 
Corner is claiming this is such a hideous vulnerablility is just 
totally beyond me!

Jon

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Emc-users mailing list
Emc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/emc-users

Reply via email to