Yep. But in the case of "cat herding" requirements, less exposure is always a better idea. The "best" idea would be to be secure.
Considering the cost, it is relatively inexpensive to buy a CEX feature for the "priceless" piece of mind of being secure. Even if you add in the cost of a TKE or DKMS. Rob Schramm Senior Systems Consultant Imperium Group On Mon, Jul 9, 2012 at 3:07 PM, Phil Smith <[email protected]> wrote: > Rob Schramm wrote: > >Yep. > > >By using ICSF plus CEX, and using protected key.. you get more of the > >performance characteristics of CPACF but retain the more secure nature of > >secure key. > > >Yes the exposure is less.. but it will always be suspect. Ultimately, the > >protected key is dependent on the "source" key material being "secure" or > >"not secure"... I don't see a category for "sort of secure" <VBG>. > > >And yet.. less exposure is always a better idea. > > >In the case of encrypting things like PINs .. I don't think securing under > >protected key without the original key material resting in ICSF under CEX > >MK is a good idea. (dang.. I think I fell into a "not logic" sentence) > > From a security perspective, "sort of secure" isn't substantively > different from "insecure". I'd go further wrt Protected Key and say that if > the key that you wrap isn't secure, then it's not really "Protected Key". > But I don't want this to devolve into a semantics discussion. > > There are lots of things you CAN do, but many of them don't qualify as > "secure"; this is one of them. > > ...phsiii > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
