On Mon, May 08, 2006 at 09:41:49PM +0000, Jason Holt wrote: > You're talking about multiple machines being able to decrypt, so is > it a shared secret across the machines?
Yes -- a shared private key, but that key is only available to the
operating environment of each machine when the machine is booted in a
trusted manner. A set of machines are certified as appropriate for
handling trade secrets, set up with a secure operating environment
(including auditing, MAC, and so forth), and then data is
transparently accessible on only those machines. Additional secrets
protecting the data (i.e., passphrases) can narrow down access to a
subset of users of that set of machines (providing a convenient means
of two-factor authentication).
Mike
.___________________________________________________________________.
Michael A. Halcrow
Security Software Engineer, IBM Linux Technology Center
GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C 20F5 DB40 8531 6DCA 8769
"If you find official statements that contradict mine, I'm wrong."
- Disclaimer in a post on Slashdot by an IBM'er
signature.asc
Description: Digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
