1 |
On Sunday 04 August 2002 12:46 pm, Maik Schreiber wrote: |
2 |
> > cracker gets my box, keylogs and gets my key's password (or bruteforces |
3 |
> > it). |
4 |
> |
5 |
> There. You just said it. "Gets my box, gets my key's password". Remember |
6 |
> the first rule of key management? Protect your private key! |
7 |
> |
8 |
> If your private key was protected like nothing else, he couldn't get it in |
9 |
> the first place. |
10 |
|
11 |
This is absolutely critical. Once your private key is compromised, you're in |
12 |
trouble and those who trust you will be vulnerable until you are able to get |
13 |
the word out (probably by cancelling your key and issueing a new one). |
14 |
|
15 |
I typically store my private key on a credit-card sized CDR, which I place in |
16 |
my CDROM drive and mount when I need to sign something, then remove when I'm |
17 |
done. I have three copies, two of which I keep locked away in various places |
18 |
and one of which I keep on my person. |
19 |
|
20 |
If you treat your private key like you would a physical key on your keyring |
21 |
(with which someone could take your car or gain access to your home), you |
22 |
won't have the kind of vulnerability you are describing. |
23 |
|
24 |
If you leave your private key lying around on your hard drive, however, |
25 |
something that is admittedly tempting for the convinience it would offer, |
26 |
then you are right to worry about exactly that kind of scenerio compromising |
27 |
your key, and the entire web of trust you've built. |
28 |
|
29 |
Jean. |