-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Just in case the original question was the correct scenario.
You do not have to worry too much about a public key. It is designed to be
used to send someone a message only they can decrypt.
On the other side of the equation if you have a private key on your server
Assuming the "private" keys are stored on your servers, they are your private
keys, the ciphertext is sent to you. You decrypt to get plain text.
Private key management is a matter of
Limiting access to the repository.
Store locally with a strong (long) passphrase.
Limiting access the passphrase which it encrypted with
Do not store passphrase in a config file etc.
One way is to have a user enter the passphrase into your server on
startup
and immediately obfuscate the phrase in the app process memory space. It can
then be used to access the private key when a meesage has to be decrypted. In
this case you trust the operator who starts the server and enters the phrase
and not the integrity of the server.
You may want to authenticate the sender too.
Ensure they sign with their private key as well as encrypt
Authenticate the sig against their public key on your server.
This guarantees who sent the message.
Hope this is of assistance
Mark
On Sat, 14 Feb 2004 08:34 am, Andrew Cowie wrote:
> On Fri, 2004-02-13 at 22:15, Ken Foskey wrote:
> > If we have their public key installed
>
> You meant "private" here, right?
>
> > Any other thoughts on how to protect the keys?
>
> Keychain sized USB flash drive which the secret keychain is carried on?
>
> Also - if you used symmetric encryption throughout (PGP supports, gpg
> option -c) then it would just be a conventional matter of remembering
> the encryption passphrase as opposed to public/private key management
> issues.
>
> AfC
>
> --
> Andrew Frederick Cowie
> Operational Dynamics Consulting Pty Ltd
>
> Australia: +61 2 9977 6866 North America: +1 646 472 5054
>
> http://www.operationaldynamics.com/
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ | |\ |\ | | / Mark Canavan
~ | || |-||-||- http://www.inbhe.org
~ | || |/ | | \
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFANu6KsRo8bGZWxRsRAhY8AKCCcaztuLrO8w83Gy3OKvn6Q58KJwCdGNiM
aoq/PdtU6DwZ6Wx/34YFJSw=
=k+id
-----END PGP SIGNATURE-----
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
