[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Private key server



At 11:46 AM 9/18/96 -0400, [email protected] (Chris Steel)
wrote about the problem of getting his public and private keys to
various machines around his company, and would like some sort of
secret-key-ring server to make it easier to download them
(and presumably to avoid leaving them on the disks of shared machines
for longer than necessary.)

This is, of course, semi-dangerous, for a couple of reasons
1) Limiting access to your secret keyring file reduces the probability 
of a brute-force cracker attack against your keyring - 
if your password is "foo", then anybody who has your keyring can
probably find that out quickly if they hack a pgp-keyring-cracker.
2) Your keyring has, in cleartext, the identities of the different
keys on it.  If you only use one id, and it's well-known, that doesn't
expose you particularly, but if you're using multiple nyms,
anyone who has your file can connect them by just looking at the
printable parts of the file.

However, assuming you've decided to do it anyway :-), what are your options?
You could use a networked file system such as NFS or Netware or the
Evil Microsoft NETBIOS-based filesystems, and take advantage of their
protections.  Since they don't ship encrypted data, any eavesdropper can
find them anyway, but they won't be able to just grab the file off the net.
You'd be better off, however, using a secure web server, like Apache-SSL,
and only providing https: access to the page plus passwords plus 
address-based restrictions to try to make it accessible only to you
and not eavesdroppable.  Also, you can encrypt the copy of the secret
keyring you distribute using a secret key you can remember.

But don't do it :-)

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# <A HREF="http://idiom.com/~wcs"> 	
# You can get PGP software outside the US at ftp.ox.ac.uk/pub/crypto