diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2011-January/002158.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2011-January/002158.html | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2011-January/002158.html b/zarb-ml/mageia-sysadm/2011-January/002158.html new file mode 100644 index 000000000..b5781f7be --- /dev/null +++ b/zarb-ml/mageia-sysadm/2011-January/002158.html @@ -0,0 +1,118 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B814%5D%20-%20add%20a%20module%20to%20generate%20gnupg%20key%20%28%0A%20similar%20to%20the%20one%20for%20openssl&In-Reply-To=%3C1295284064.24697.68.camel%40akroma.ephaone.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="002156.html"> + <LINK REL="Next" HREF="002159.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl</H1> + <B>Michael Scherer</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B814%5D%20-%20add%20a%20module%20to%20generate%20gnupg%20key%20%28%0A%20similar%20to%20the%20one%20for%20openssl&In-Reply-To=%3C1295284064.24697.68.camel%40akroma.ephaone.org%3E" + TITLE="[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl">misc at zarb.org + </A><BR> + <I>Mon Jan 17 18:07:44 CET 2011</I> + <P><UL> + <LI>Previous message: <A HREF="002156.html">[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl +</A></li> + <LI>Next message: <A HREF="002159.html">[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#2158">[ date ]</a> + <a href="thread.html#2158">[ thread ]</a> + <a href="subject.html#2158">[ subject ]</a> + <a href="author.html#2158">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Le lundi 17 janvier 2011 à 16:35 +0000, Pascal Terjan a écrit : +><i> On Mon, Jan 17, 2011 at 16:23, Michael Scherer <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">misc at zarb.org</A>> wrote: +</I>><i> > Le lundi 17 janvier 2011 à 16:24 +0100, <A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">root at mageia.org</A> a écrit : +</I>><i> >> Revision: 814 +</I>><i> >> Author: misc +</I>><i> >> Date: 2011-01-17 16:24:10 +0100 (Mon, 17 Jan 2011) +</I>><i> >> Log Message: +</I>><i> >> ----------- +</I>><i> >> - add a module to generate gnupg key ( similar to the one for openssl +</I>><i> >> certs ) +</I>><i> > +</I>><i> > Ok so now we have the command to generate key, I propose to ... generate +</I>><i> > a key ( we can also party, if we prefer ). +</I>><i> +</I>><i> Or both +</I> +Yeah \o/ + +First drink, then commit ? + +><i> > According to <A HREF="http://www.awe.com/mark/blog/200701300906.html">http://www.awe.com/mark/blog/200701300906.html</A> , RH use a +</I>><i> > master key that sign the release keys. So doing like this would allow us +</I>><i> > to ask for signing the master key, we can renew it when needed, and we +</I>><i> > use it to sign the release key. ( RH also have a HSM for that : +</I>><i> > <A HREF="http://iss.thalesgroup.com/en/Products/Hardware%20Security%">http://iss.thalesgroup.com/en/Products/Hardware%20Security%</A> +</I>><i> > 20Modules/nShield%20Solo.aspx , but there is no price tag. If someone by +</I>><i> > chance know some Thales insider, it would be interesting to have more +</I>><i> > information ). +</I>><i> +</I>><i> Ah that's close to what I was suggesting :) +</I>><i> Storing it on something like <A HREF="https://store.ironkey.com/personal">https://store.ironkey.com/personal</A> would +</I>><i> make sense (hardware encryption, if you try n times (5 or 10 I think) +</I>><i> to unlock with wrong passphrase data is destroyed by the hardware) +</I> +That doesn't fight against the same threat. + +The rh solution prevent theft of the key. This one prevent bruteforce of +the key. + +But that could be a part of the solution. We put the master key on that, +we send it to the president, we store a backup protected by a shamir +secret sharing ( <A HREF="http://en.wikipedia.org/wiki/Shamir">http://en.wikipedia.org/wiki/Shamir</A>'s_Secret_Sharing ), +given to various people ( like to the 9 admins, with a threshold of 4 or +5 ), so if the president lose the password (*khof*) and destroy the key, +we can still get it. + +I guess we should list the threat we will be facing before deciding on a +definite scheme. + +-- +Michael Scherer + +</PRE> + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="002156.html">[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl +</A></li> + <LI>Next message: <A HREF="002159.html">[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#2158">[ date ]</a> + <a href="thread.html#2158">[ thread ]</a> + <a href="subject.html#2158">[ subject ]</a> + <a href="author.html#2158">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |