From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-sysadm/2011-January/002158.html | 118 +++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 zarb-ml/mageia-sysadm/2011-January/002158.html (limited to 'zarb-ml/mageia-sysadm/2011-January/002158.html') diff --git a/zarb-ml/mageia-sysadm/2011-January/002158.html b/zarb-ml/mageia-sysadm/2011-January/002158.html new file mode 100644 index 000000000..b5781f7be --- /dev/null +++ b/zarb-ml/mageia-sysadm/2011-January/002158.html @@ -0,0 +1,118 @@ + + + + [Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl + + + + + + + + + +

[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl

+ Michael Scherer + misc at zarb.org +
+ Mon Jan 17 18:07:44 CET 2011 +

+
+ +
Le lundi 17 janvier 2011 à 16:35 +0000, Pascal Terjan a écrit :
+> On Mon, Jan 17, 2011 at 16:23, Michael Scherer <misc at zarb.org> wrote:
+> > Le lundi 17 janvier 2011 à 16:24 +0100, root at mageia.org a écrit :
+> >> Revision: 814
+> >> Author:   misc
+> >> Date:     2011-01-17 16:24:10 +0100 (Mon, 17 Jan 2011)
+> >> Log Message:
+> >> -----------
+> >> - add a module to generate gnupg key ( similar to the one for openssl
+> >>   certs )
+> >
+> > Ok so now we have the command to generate key, I propose to ... generate
+> > a key ( we can also party, if we prefer ).
+>
+> Or both
+
+Yeah \o/
+
+First drink, then commit ?
+
+> > According to http://www.awe.com/mark/blog/200701300906.html , RH use a
+> > master key that sign the release keys. So doing like this would allow us
+> > to ask for signing the master key, we can renew it when needed, and we
+> > use it to sign the release key. ( RH also have a HSM for that :
+> > http://iss.thalesgroup.com/en/Products/Hardware%20Security%
+> > 20Modules/nShield%20Solo.aspx , but there is no price tag. If someone by
+> > chance know some Thales insider, it would be interesting to have more
+> > information ).
+> 
+> Ah that's close to what I was suggesting :)
+> Storing it on something like https://store.ironkey.com/personal would
+> make sense (hardware encryption, if you try n times (5 or 10 I think)
+> to unlock with wrong passphrase data is destroyed by the hardware)
+
+That doesn't fight against the same threat.
+
+The rh solution prevent theft of the key. This one prevent bruteforce of
+the key. 
+
+But that could be a part of the solution. We put the master key on that,
+we send it to the president, we store a backup protected by a shamir
+secret sharing ( http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing ),
+given to various people ( like to the 9 admins, with a threshold of 4 or
+5 ), so if the president lose the password (*khof*) and destroy the key,
+we can still get it.
+
+I guess we should list the threat we will be facing before deciding on a
+definite scheme.
+
+-- 
+Michael Scherer
+
+
+ + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-sysadm +mailing list
+ -- cgit v1.2.1