On Mon, 2005-02-21 at 13:33 -0500, David F. Skoll wrote: > Actually, I see that as a huge issue. If the key is ever compromised, > then every piece of e-mail you've ever sent out is vulnerable to > decryption. That makes the MIMEDefang machine a very tempting target.
This can be mitigated by creating several encryption subkeys up front. (This would be done on a secure, unconnected machine.) Each key would be valid for a specific chunk of time. Then, only install the first on the server. Near the expiration date, add the second subkey. A little while after the expiration date, remove the first. Repeat this as the subkeys expire. In this way, a compromise would only affect the messages from one chunk of time (or two in the worst-case scenario when it's compromised during the overlap around the expiration date). This does assume that you catch the compromise in a timely fashion. If you wanted to be absolutely sure about that, you could switch the mail server functions over to a freshly installed and patched machine every time you switched subkeys. The messages could be archived in encrypted form. Assuming you use the commercial version of PGP, the secret sharing stuff could be used to ensure that the archived messages could only be read when authorized by the appropriate person(s). If you're using GnuPG or something else, then secret sharing isn't really available, but there are other ways of accomplishing much the same thing. Richard Laager
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
