On Wed, 2011-08-03 at 13:41 -0400, Ian Stokes-Rees wrote:
> On 8/3/11 1:02 PM, Stephen Gallagher wrote: 
> > So I guess what I'm saying is not "Don't use centrally managed key
> > storage", but rather "If you use the key anywhere but in this
> > administrative domain, do not put it in centrally-managed storage
> > that anyone but you can ever gain access to it". 
> Yes, I appreciate the distinction you raise.  Regarding your last
> comment quoted above, to the best of my knowledge that is impossible.
> I regularly have discussions with people saying "an administrator
> could always do X,Y and Z to access your supposedly private data" --
> if there are ways in which I could be wrong about that, I'd love to
> know them.  Otherwise I believe that the key risks from a centralized
> keystore are:
> * ease of compromise by an unscrupulous administrator
> * extent of compromise if attacker gains administrative privs to
> central keystore (although it sounds like the RH DRM system could
> significantly reduce that)
> * risk of compromise due to security vulnerabilities in central
> keystore software
> I think the general consensus is that you are always exposed to some
> degree of risk, and it is necessary to evaluate the risks versus the
> benefits.  There are some lovely lakes in northern Maine where you can
> probably use your laptop without too much risk of compromised privacy,
> or closer to home, I'm sure most of us can remember a day when we got
> lots of useful work done on a computer with no network connection and
> were excited when we got one new piece of software every few months.
> In my risk/benefit world, a centralized keystore would be really
> useful.
> And for the record, if any one of the computers I use is compromised
> with a keyboard scanner or theft of my private ssh or X.509 keys, then
> I'm in a whole world of pain, and not a small amount of inconvenience
> (and risk of malicious attacks) to the various systems I regularly
> access.  Best I can tell, that isn't too different from most people in
> my situation, and short of that nice cabin in Maine, is simply the
> reality (risk) of the kind of work I do, and the people I do it for.

Well, there exist central storage approaches that don't allow even the
local admin access to the data. The trade-off of course is that they
can't reinstate your access if you forget the password.

In other words, you can set a password that is used as a symmetric key
for encrypting your data in the central store. It's still central and
can be retrieved from anywhere, but only you know how to read it.

Attachment: signature.asc
Description: This is a digitally signed message part

Freeipa-users mailing list

Reply via email to