John Kasunich wrote: > Jon Elson wrote: > > >>Why do you feel these keys are such a vulnerability? These keys >>can be generated specifically for LinuxCNC ONLY, and not used on >>any other site. Also, they are useless for accessing anything >>on YOUR computer, they are generated for your computer to access >>outside sites only. The only possible harm that could come from >>these keys is someone could spoof being you and do something >>malicious to the LinuxCNC repository. > > > No No NO! > > The key you send to cradek to gain access to the CVS server is your > PUBLIC key! You can post your public key on your website and give > it to every Tom, Dick, and Hacker in the world and it wouldn't matter. > Your PRIVATE key stays on your machine. Public key cryptography works > by having you encrypt things with your private key, and the server > decrypts them with the public key. The server never sees your private > key, but it knows that you (or someone with your PRIVATE key) sent the > message.
Right, someone would have to crack your key (it is possible, but seriously unlikely someone would go to this effort) or steal it from your computer (probably easier) to even do the ridiculous example of minimal mayhem that I proposed above! Why Paul Corner is claiming this is such a hideous vulnerablility is just totally beyond me! Jon ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Emc-users mailing list Emc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-users
