On Mon, Feb 26, 2007 at 04:03:15PM -0800, Gary Winiger wrote: > I have sympathy with you. I suspect what you really want > is a tamperproof personal HW key store. $HOME isn't that. > Certainly you should restrict the access to owner only > (600) and use Kerberized Secure NFS for $HOME. Also consider > making $HOME an encrypted file system.
ssh uses passphrase-encrypted files. Firefox does something much like that as well, and we have the PKCS#11 softtoken that too encrypts secrets in the user's PIN (which, incidentally, is not required to be four digits, or even all digits [IIRC]). As for wifi -- that's not a user application, but a system application that interfaces with a signle user, and like all system applications, it should store its secrets in local files with proper permissions or in tamper-resistant/evident PKCS#11 hardware tokens. Nico --
