1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B814%5D%20-%20add%20a%20module%20to%20generate%20gnupg%20key%20%28%0A%20similar%20to%20the%20one%20for%20openssl&In-Reply-To=%3C1295284064.24697.68.camel%40akroma.ephaone.org%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="002156.html">
<LINK REL="Next" HREF="002159.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl</H1>
<B>Michael Scherer</B>
<A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B814%5D%20-%20add%20a%20module%20to%20generate%20gnupg%20key%20%28%0A%20similar%20to%20the%20one%20for%20openssl&In-Reply-To=%3C1295284064.24697.68.camel%40akroma.ephaone.org%3E"
TITLE="[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl">misc at zarb.org
</A><BR>
<I>Mon Jan 17 18:07:44 CET 2011</I>
<P><UL>
<LI>Previous message: <A HREF="002156.html">[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl
</A></li>
<LI>Next message: <A HREF="002159.html">[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#2158">[ date ]</a>
<a href="thread.html#2158">[ thread ]</a>
<a href="subject.html#2158">[ subject ]</a>
<a href="author.html#2158">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Le lundi 17 janvier 2011 à 16:35 +0000, Pascal Terjan a écrit :
><i> On Mon, Jan 17, 2011 at 16:23, Michael Scherer <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">misc at zarb.org</A>> wrote:
</I>><i> > Le lundi 17 janvier 2011 à 16:24 +0100, <A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">root at mageia.org</A> a écrit :
</I>><i> >> Revision: 814
</I>><i> >> Author: misc
</I>><i> >> Date: 2011-01-17 16:24:10 +0100 (Mon, 17 Jan 2011)
</I>><i> >> Log Message:
</I>><i> >> -----------
</I>><i> >> - add a module to generate gnupg key ( similar to the one for openssl
</I>><i> >> certs )
</I>><i> >
</I>><i> > Ok so now we have the command to generate key, I propose to ... generate
</I>><i> > a key ( we can also party, if we prefer ).
</I>><i>
</I>><i> Or both
</I>
Yeah \o/
First drink, then commit ?
><i> > According to <A HREF="http://www.awe.com/mark/blog/200701300906.html">http://www.awe.com/mark/blog/200701300906.html</A> , RH use a
</I>><i> > master key that sign the release keys. So doing like this would allow us
</I>><i> > to ask for signing the master key, we can renew it when needed, and we
</I>><i> > use it to sign the release key. ( RH also have a HSM for that :
</I>><i> > <A HREF="http://iss.thalesgroup.com/en/Products/Hardware%20Security%">http://iss.thalesgroup.com/en/Products/Hardware%20Security%</A>
</I>><i> > 20Modules/nShield%20Solo.aspx , but there is no price tag. If someone by
</I>><i> > chance know some Thales insider, it would be interesting to have more
</I>><i> > information ).
</I>><i>
</I>><i> Ah that's close to what I was suggesting :)
</I>><i> Storing it on something like <A HREF="https://store.ironkey.com/personal">https://store.ironkey.com/personal</A> would
</I>><i> make sense (hardware encryption, if you try n times (5 or 10 I think)
</I>><i> to unlock with wrong passphrase data is destroyed by the hardware)
</I>
That doesn't fight against the same threat.
The rh solution prevent theft of the key. This one prevent bruteforce of
the key.
But that could be a part of the solution. We put the master key on that,
we send it to the president, we store a backup protected by a shamir
secret sharing ( <A HREF="http://en.wikipedia.org/wiki/Shamir">http://en.wikipedia.org/wiki/Shamir</A>'s_Secret_Sharing ),
given to various people ( like to the 9 admins, with a threshold of 4 or
5 ), so if the president lose the password (*khof*) and destroy the key,
we can still get it.
I guess we should list the threat we will be facing before deciding on a
definite scheme.
--
Michael Scherer
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="002156.html">[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl
</A></li>
<LI>Next message: <A HREF="002159.html">[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#2158">[ date ]</a>
<a href="thread.html#2158">[ thread ]</a>
<a href="subject.html#2158">[ subject ]</a>
<a href="author.html#2158">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>
|
