DRM is the way to go. However it does not support symmetric keys now.
This is the pert that we need for volume keys. May be it is the vault
to store all sorts of keys. This is something that needs to be
designed and looked at as a broader perspective.
Adam likes to repeat a phase about
On 08/04/2011 02:05 PM, Ian Stokes-Rees wrote:
On 8/3/11 6:13 PM, Dmitri Pal wrote:
On 08/03/2011 10:10 AM, Ian Stokes-Rees wrote:
If there were some way to securely embed an arbitrary string in the
user profile, that would go a long way to solving this problem. At
least 4KB to cover a 2048
On 08/04/2011 04:12 PM, Rich Megginson wrote:
On 08/04/2011 02:05 PM, Ian Stokes-Rees wrote:
On 8/3/11 6:13 PM, Dmitri Pal wrote:
On 08/03/2011 10:10 AM, Ian Stokes-Rees wrote:
If there were some way to securely embed an arbitrary string in the
user profile, that would go a long way to
Maybe stupid question, but I have to ask:
Why would anyone want to store user RSA keys in LDAP? Once you have IPA server with KDC installed, you can use Kerberos for authentication
as well.
And you get single sign on as a special bonus :-)
Ondrej
The information contained in this e-mail and
First,
security specialist would probably rebel about providing the
password or keys in clear. The best practice says do not reveal
the keys/passwords but rather encrypt them with some other
"transport" secret that would be known to the user or destination
On 8/3/11 4:47 AM, Ondrej Valousek wrote:
Maybe stupid question, but I have to ask:
Why would anyone want to store user RSA keys in LDAP? Once you
have IPA server with KDC installed, you can use Kerberos for
authentication as well.
And
On Wed, 2011-08-03 at 10:14 -0400, Ian Stokes-Rees wrote:
On 8/3/11 4:47 AM, Ondrej Valousek wrote:
Maybe stupid question, but I have to ask:
Why would anyone want to store user RSA keys in LDAP? Once you have
IPA server with KDC installed, you can use Kerberos for
authentication as
On Wed Aug 3 10:37:45 2011, Stephen Gallagher wrote:
As a general rule, I would think that having your private key stored
somewhere that an admin other than yourself can reset the password and
have access to would be really dangerous. Most especially if this
private key was being used to
On 08/03/2011 12:21 PM, Ian Stokes-Rees wrote:
On Wed Aug 3 10:37:45 2011, Stephen Gallagher wrote:
As a general rule, I would think that having your private key stored
somewhere that an admin other than yourself can reset the password and
have access to would be really dangerous. Most
On Wed, 2011-08-03 at 12:21 -0400, Ian Stokes-Rees wrote:
On Wed Aug 3 10:37:45 2011, Stephen Gallagher wrote:
As a general rule, I would think that having your private key stored
somewhere that an admin other than yourself can reset the password and
have access to would be really
On 8/3/11 12:38 PM, Adam Young wrote:
I think what you are interested in is the Data Recovery Manager
(DRM...hey, we had the acronym first, but we also call it Key
Recovery ) aspect of Certificate Server.
That is awesome. That is exactly what I want.
Do you have experience with this? If
On 8/3/11 1:02 PM, Stephen Gallagher wrote:
So I guess what I'm saying is not Don't use centrally managed key
storage, but rather If you use the key anywhere but in this
administrative domain, do not put it in centrally-managed storage that
anyone but you can ever gain access to it.
Yes, I
On Wed, 2011-08-03 at 13:46 -0400, Stephen Gallagher wrote:
On Wed, 2011-08-03 at 13:41 -0400, Ian Stokes-Rees wrote:
On 8/3/11 1:02 PM, Stephen Gallagher wrote:
So I guess what I'm saying is not Don't use centrally managed key
storage, but rather If you use the key anywhere but in
On Wed, 2011-08-03 at 14:02 -0400, Ian Stokes-Rees wrote:
On 8/3/11 1:46 PM, Stephen Gallagher wrote:
Well, there exist central storage approaches that don't allow even
the local admin access to the data. The trade-off of course is that
they can't reinstate your access if you forget
On Wed Aug 3 14:05:51 2011, Stephen Gallagher wrote:
No, the way that such a system would work is that the password would
never be passed to the central server. Only the encrypted data would be
sent and received. All decryption would happen locally. The most a
man-in-the-middle attack could
On 08/03/2011 01:16 PM, Ian Stokes-Rees wrote:
On 8/3/11 12:38 PM, Adam Young wrote:
I think what you are interested in is the Data Recovery Manager
(DRM...hey, we had the acronym first, but we also call it Key
Recovery ) aspect of Certificate Server.
That is awesome. That is exactly
On 08/03/2011 10:10 AM, Ian Stokes-Rees wrote:
If there were some way to securely embed an arbitrary string in the
user profile, that would go a long way to solving this problem. At
least 4KB to cover a 2048 X.509 public key, but ideally 10 KB or
more. To remove the ACL complexity, just
On 08/03/2011 01:56 PM, Simo Sorce wrote:
On Wed, 2011-08-03 at 13:46 -0400, Stephen Gallagher wrote:
On Wed, 2011-08-03 at 13:41 -0400, Ian Stokes-Rees wrote:
On 8/3/11 1:02 PM, Stephen Gallagher wrote:
So I guess what I'm saying is not Don't use centrally managed key
storage, but rather
Is there some mechanism to store private keys (e.g. ssh, pgp, gpg,
X.509) in FreeIPA, tied to a user account, so only the user (via kerb
token or with password prompt) can fetch the token?
If FreeIPA doesn't make this possible, can anyone suggest a good
mechanism to have, effectively, a user
On 08/02/2011 02:15 PM, Ian Stokes-Rees wrote:
Is there some mechanism to store private keys (e.g. ssh, pgp, gpg,
X.509) in FreeIPA, tied to a user account, so only the user (via kerb
token or with password prompt) can fetch the token?
If FreeIPA doesn't make this possible, can anyone suggest
On Tue, 2011-08-02 at 16:27 -0400, Dmitri Pal wrote:
On 08/02/2011 02:15 PM, Ian Stokes-Rees wrote:
Is there some mechanism to store private keys (e.g. ssh, pgp, gpg,
X.509) in FreeIPA, tied to a user account, so only the user (via
kerb token or with password prompt) can fetch the token?
On 8/2/11 4:27 PM, Dmitri Pal wrote:
On 08/02/2011 02:15 PM, Ian Stokes-Rees wrote:
Is there some mechanism to store private keys (e.g. ssh, pgp, gpg,
X.509) in FreeIPA, tied to a user account, so only the user (via kerb
token or with password prompt) can fetch the token?
If FreeIPA
On 08/02/2011 05:51 PM, Ian Stokes-Rees wrote:
On 8/2/11 4:27 PM, Dmitri Pal wrote:
On 08/02/2011 02:15 PM, Ian Stokes-Rees wrote:
Is there some mechanism to store private keys (e.g. ssh, pgp, gpg,
X.509) in FreeIPA, tied to a user account, so only the user (via
kerb token or with password
23 matches
Mail list logo
