On Wed, 2011-08-03 at 13:41 -0400, Ian Stokes-Rees wrote: > > > On 8/3/11 1:02 PM, Stephen Gallagher wrote: > > So I guess what I'm saying is not "Don't use centrally managed key > > storage", but rather "If you use the key anywhere but in this > > administrative domain, do not put it in centrally-managed storage > > that anyone but you can ever gain access to it". > > Yes, I appreciate the distinction you raise. Regarding your last > comment quoted above, to the best of my knowledge that is impossible. > I regularly have discussions with people saying "an administrator > could always do X,Y and Z to access your supposedly private data" -- > if there are ways in which I could be wrong about that, I'd love to > know them. Otherwise I believe that the key risks from a centralized > keystore are: > > * ease of compromise by an unscrupulous administrator > * extent of compromise if attacker gains administrative privs to > central keystore (although it sounds like the RH DRM system could > significantly reduce that) > * risk of compromise due to security vulnerabilities in central > keystore software > > I think the general consensus is that you are always exposed to some > degree of risk, and it is necessary to evaluate the risks versus the > benefits. There are some lovely lakes in northern Maine where you can > probably use your laptop without too much risk of compromised privacy, > or closer to home, I'm sure most of us can remember a day when we got > lots of useful work done on a computer with no network connection and > were excited when we got one new piece of software every few months. > > In my risk/benefit world, a centralized keystore would be really > useful. > > And for the record, if any one of the computers I use is compromised > with a keyboard scanner or theft of my private ssh or X.509 keys, then > I'm in a whole world of pain, and not a small amount of inconvenience > (and risk of malicious attacks) to the various systems I regularly > access. Best I can tell, that isn't too different from most people in > my situation, and short of that nice cabin in Maine, is simply the > reality (risk) of the kind of work I do, and the people I do it for.
Well, there exist central storage approaches that don't allow even the local admin access to the data. The trade-off of course is that they can't reinstate your access if you forget the password. In other words, you can set a password that is used as a symmetric key for encrypting your data in the central store. It's still central and can be retrieved from anywhere, but only you know how to read it.
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users