Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library

On Sat, Jan 28, 2006 at 10:20:29PM -0500, Trond Myklebust wrote:

On Sat, 2006-01-28 at 17:57 +0100, David Härdeman wrote:
What about the first paragraph of what I wrote? You are going to want tokeep often-used keys around somehow, proxy certificates is not asolution for your own use of your personal keys and with the exceptionof hardware solutions such as smart cards, the keys will be safer in thekernel than in a user-space daemon...
I don't get this explanation at all.

Why would you want to use proxy certificates for you own use? Use your
own certificate for your own processes, and issue one or more proxy
certificates to any daemon that you want to authorise to do some limited
task.

I meant that you can't use proxy certs for your own use, so you still needto store your own cert/key somehow...and I still believe that the kernelkeyring is the best place...

...and what does this statement about "keys being safer in the kernel"
mean?

swap-out to disk, ptrace, coredump all become non-issues. And incombination with some other security features (such as disallowingmodules, read/write of /dev/mem + /dev/kmem, limited permissions viaSELinux, etc), it becomes pretty hard for the attacker to get yourprivate key even if he/she manages to get access to the root account.

Further, the mpi and dsa code can also be used for supporting signedmodules and binaries...the "store dsa-keys in kernel" part adds 376lines of code (counted with wc so comments and includes etc are alsocounted)...
Signed modules sounds like a better motivation, but is a full dsa
implementation in the kernel really necessary to achieve this?


How would you do it otherwise?

Re,
David
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Follow-Ups:
- Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: Trond Myklebust <[email protected]>
- Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: Adrian Bunk <[email protected]>

References:
- Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: Christoph Hellwig <[email protected]>
- [PATCH 00/04] Add DSA key type
  - From: David Härdeman <[email protected]>
- [PATCH 01/04] Add multi-precision-integer maths library
  - From: David Härdeman <[email protected]>
- Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: David Howells <[email protected]>
- Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: David Härdeman <[email protected]>
- Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: Adrian Bunk <[email protected]>
- Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: David Härdeman <[email protected]>
- Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: Trond Myklebust <[email protected]>
- Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: David Härdeman <[email protected]>
- Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: Trond Myklebust <[email protected]>

Prev by Date: Re: [PATCH] ahci: get JMicron JMB360 working
Next by Date: Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
Previous by thread: Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
Next by thread: Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]