On Apr 22, 2004, at 2:04 AM, Henri Yandell wrote: > On the other side, I keep server and banking passwords pretty tight. To > talk to servers, you can use things called SSH Keys as your password. > It's > basically a large, cryptographically secure password that you > additonally > protect with a passphrase, ie multiple words. When I log into the > machine, > I set it up, and when I turn the machine off [or log out, or just turn > off > this feature], I can't automatically connect to servers/email etc. It's > very cool.
I keep such things in my Keychain, so most of these connections are automatic. The Keychain file is strongly encrypted and I'm not worried about it being compromised. To make sure it can't easily be peeked at, I use a different password on my Keychain than on my login. This means I'm asked for two passwords when I log in, but that's not too much trouble because I have all my passwords (and credit card numbers and financial account identification, etc.) in one strongly encrypted file. > SSL, aka https://, also has a similar concept I think. It would be very > nice if our banks would send us a signed certificate that we would put > on > our computers and log in with. I hate using a 4 digit pin to log into > my > modifiable bank acccount. They could send us an encrypted USB key etc > and > there'd be various electronic handshaking. All very possibly and > sci-fi; > especially once said electronic handshake was on a chip under our skin > :) I don't like USB dongles because they never work as transparently as theory says they should. The combination of the built-in SSL and Keychain should be sufficient. But, Apple has really screwed up the interface design big time on their SSL support. I had to buy the O'Reilly book on OpenSSL to figure it out, and I'm still not quite sure what Apple's doing. My biggest complaint about Apple's SSL is that they don't make it at all easy to handle certificates not issued by the big boys like Verisign, or even handle personal keys issued by the big boys. Here are a couple of examples. When X.3 came out, Mail finally started correctly handling encrypted connections for getting mail via IMAP and POP. My main mail drop is the same machine on which this list is hosted. When using secure IMAP, Mail asked me every time whether I trust erdos to be a secure host. It did this because the digital certificate for erdos was not present in the keychain. It took me a long time to figure out how to import a self-signed digital certificate because Apple has no built-in facility for doing this, even though the software supports it, and the documentation is nearly nonexistent. This should be nearly automatic, once you say the host is trusted. I've long had an encryption key pair from Verisign (They're free!) for use with e-mail. Starting with X.3, Mail supports both encrypted mail and digital signatures. Importing an existing digital signature into a keychain for use with Mail is pretty easy, but exporting it for use with other programs or other machines once you get it in there seems to be impossible. (Hint: If you get a key, don't use Safari to download it.) My conclusion is that Apple has added this stuff so they can satisfy some government contract checklist, but they made no effort to make it usable. And this is a real shame, because strong encryption would solve a lot of problems on the Internet. For example: Many medical and financial professionals won't do much by e-mail because there's no privacy with standard e-mail. (You might as well write a postcard.) If encryption were standard, they could discuss personal information with assurance of privacy. Most politicians pretty much ignore e-mail because they don't know who's really writing it. With secure digital signatures this problem goes away. If digital signatures were common, spam would be less effective because you could take all the signed mail as legitimate and the rest as junk. | The next meeting of the Louisville Computer Society will | be April 27. The LCS Web page is <http://www.kymac.org>. | List posting address: <mailto:macgroup at erdos.math.louisville.edu> | List Web page: <http://erdos.math.louisville.edu/macgroup>
