| 1 |
On Wednesday 17 September 2008 13:16:57 Jil Larner wrote: |
| 2 |
> Hello, |
| 3 |
> |
| 4 |
> You cannot. The reason for this is simple : you can copy as many times |
| 5 |
> as you wish it your private key in any place. Even if you were able to |
| 6 |
> check-up that a private key is passphrase-protected, it wouldn't mean |
| 7 |
> every single copy of that key is protected so. And the interest of the |
| 8 |
> private key is that only the owners possesses it and hides it; thus you |
| 9 |
> shouldn't think about a mensual submission of the keyfile to |
| 10 |
> automatically check it is protected, because it would open a serious |
| 11 |
> security hole. |
| 12 |
|
| 13 |
Agreed. The hole I would like to close (or make smaller) is that the key is |
| 14 |
the main security between the user's desktop machine and the core routers on |
| 15 |
my network. We originally switched to ssh keys because users will gladly |
| 16 |
share passwords with each other without regard for consequences, and the |
| 17 |
administration of this is a nightmare. |
| 18 |
|
| 19 |
Keys make for better security, but I would like it to be even better. I also |
| 20 |
want to have my facts 100% straight - if I tell my boss "it can't be done" I |
| 21 |
like to show research to back it up. There's nothing worse than saying |
| 22 |
something can't be done, and someone else in the room immediately says how it |
| 23 |
can be done ... :-) |
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
-- |
| 28 |
alan dot mckinnon at gmail dot com |
Archives