On Sun, December 3, 2006 11:44 am, Stewart Stremler wrote: > begin quoting Lan Barnes as of Sun, Dec 03, 2006 at 10:42:03AM -0800: >> >> On Sat, December 2, 2006 11:57 pm, Joshua Penix wrote: > [snip] >> > No no, the passphrase is stored as part of the user's private key. >> > Your cfengine scripts are only managing the public half of the keys, >> > right? The passphrase can be removed from the private key without >> > anything changing in the public key. >> >> Apropos of security, I have wondered why we don't generate our key and >> keyring (certificates, all those other things I don't really understand) >> on a finger drive that we carry with us on a loop around our neck. >> >> Commants? > > What's the threat you're worried about? > > I don't see much, if any, benefit in carrying around keys or a keyring > on a flash drive -- especially if you mean to plug it into several > different machines. And doubly so if you're talking about carting > around private keys. > > I do see a benefit of keeping the fingerprints of host keys and your > collection of public keys on a flash drive -- the biggest problem I > have when I sit down at a new (and presumably trusted) computer is that > I don't have any way of verifying that yes, that host key fingerprint > for the server is, indeed, the correct fingerprint. > > It's not like I can memorize the darn thing. It's too long and too > meaningless (by necessity) for that to be a reasonable thing to do. > > (It would be better if the flash drives could easily be made read-only, > so perhaps something like an SD card would be better yet. Or, write > this stuff down in a notebook or put it in your PDA, and introduce a > manual verification step...) >
When I say "Comments?" that means I'm not sure I know what I'm talking about and I want to be educated. I carry putty and a file with my home IP addr on my flash on my keyring (real keys). I got the idea from the list -- one of the Allens IIRC. Many and oft it has been a godsend in the field, especially in China. -- Lan Barnes Tcl/Tk Enthusiast SCM Analyst Linux Guy Biodiesel Brewer -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
