| 1 |
On Sunday 04 August 2002 12:46 pm, Maik Schreiber wrote: |
| 2 |
> > cracker gets my box, keylogs and gets my key's password (or bruteforces |
| 3 |
> > it). |
| 4 |
> |
| 5 |
> There. You just said it. "Gets my box, gets my key's password". Remember |
| 6 |
> the first rule of key management? Protect your private key! |
| 7 |
> |
| 8 |
> If your private key was protected like nothing else, he couldn't get it in |
| 9 |
> the first place. |
| 10 |
|
| 11 |
This is absolutely critical. Once your private key is compromised, you're in |
| 12 |
trouble and those who trust you will be vulnerable until you are able to get |
| 13 |
the word out (probably by cancelling your key and issueing a new one). |
| 14 |
|
| 15 |
I typically store my private key on a credit-card sized CDR, which I place in |
| 16 |
my CDROM drive and mount when I need to sign something, then remove when I'm |
| 17 |
done. I have three copies, two of which I keep locked away in various places |
| 18 |
and one of which I keep on my person. |
| 19 |
|
| 20 |
If you treat your private key like you would a physical key on your keyring |
| 21 |
(with which someone could take your car or gain access to your home), you |
| 22 |
won't have the kind of vulnerability you are describing. |
| 23 |
|
| 24 |
If you leave your private key lying around on your hard drive, however, |
| 25 |
something that is admittedly tempting for the convinience it would offer, |
| 26 |
then you are right to worry about exactly that kind of scenerio compromising |
| 27 |
your key, and the entire web of trust you've built. |
| 28 |
|
| 29 |
Jean. |
Archives