...if the goal is to avoid storing a private key in plaintext, can that private key live in a hardware store (PKCS#11, TPM, etc) instead?
On Thu, May 26, 2016 at 8:49 AM Steve Litt <[email protected]> wrote: > On Thu, 26 May 2016 14:16:16 +0100 > Jonathan de Boyne Pollard <[email protected]> > wrote: > > > Christophe-Marie Duquesne: > > > Any idea how to proceed? > > > > You're running a daemon. It really shouldn't have an interactive > > user interface. Remember the lessons that resulted in Session 0 > > Isolation in Windows NT. > > The more I read of this thread, the more I think it's a bad idea to > have a boot-instantiated daemon acquire a password by any means, and > the more I think maybe a completely different approach might be more > appropriate. So let me ask the original poster a few questions: > > * What does this daemon do? > * How many users does the machine have? > - At one time? > - Ever? > * Would all the machine's users be expected to know the password? > * Did you write the daemon yourself? > * Why does it need to be a supervised daemon, rather than just a > program the user runs? > > Thanks, > > SteveT > > Steve Litt > May 2016 featured book: Rapid Learning for the 21st Century > http://www.troubleshooters.com/rl21 >
