From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Wolf Sent: Friday, 7 November 2014 5:29 AM To: [email protected] Subject: RE: [NTSysADM] Has anyone implemented this solution?
>>And then, how are you going to store the private key securely? All you’ve >>done is >>move what needs to be protected from the text file to the private key. > > Yes, but don’t all authorization/cryptographic issues reduce to protecting a > private key/secret? Sure – and there are ways (some better than others) to do that. I don’t see anything in your proposed solution that does anything except shift the target. The target itself isn’t protected any better. >> I wasn’t clear – the private key would not be on the server, instead shared >> directly on >> technician computers. And the private key would be password-protected, as >> well. So, instead of being stored on a centralized, protected piece of infrastructure, it’s now going to be shared peer-to-peer? And now you have a password for the key? So, how are you going to protect this password? Maybe put it in a text file, encrypted with PKI, and the private key for that is password protected? ☺ Do you see what I’m trying to get at here? You haven’t meaningfully protected the “keys to the kingdom” – anyone who has the password then has access to the key, which then has access to the text file. Cheers Ken
