begin quoting Lan Barnes as of Sun, Dec 03, 2006 at 10:42:03AM -0800: > > On Sat, December 2, 2006 11:57 pm, Joshua Penix wrote: [snip] > > No no, the passphrase is stored as part of the user's private key. > > Your cfengine scripts are only managing the public half of the keys, > > right? The passphrase can be removed from the private key without > > anything changing in the public key. > > Apropos of security, I have wondered why we don't generate our key and > keyring (certificates, all those other things I don't really understand) > on a finger drive that we carry with us on a loop around our neck. > > Commants?
What's the threat you're worried about? I don't see much, if any, benefit in carrying around keys or a keyring on a flash drive -- especially if you mean to plug it into several different machines. And doubly so if you're talking about carting around private keys. I do see a benefit of keeping the fingerprints of host keys and your collection of public keys on a flash drive -- the biggest problem I have when I sit down at a new (and presumably trusted) computer is that I don't have any way of verifying that yes, that host key fingerprint for the server is, indeed, the correct fingerprint. It's not like I can memorize the darn thing. It's too long and too meaningless (by necessity) for that to be a reasonable thing to do. (It would be better if the flash drives could easily be made read-only, so perhaps something like an SD card would be better yet. Or, write this stuff down in a notebook or put it in your PDA, and introduce a manual verification step...) -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
