Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library

On Sun, Jan 29, 2006 at 11:38:22AM -0500, Trond Myklebust wrote:

On Sun, 2006-01-29 at 12:33 +0100, David Härdeman wrote:
Why would you want to use proxy certificates for you own use? Use your
own certificate for your own processes, and issue one or more proxy
certificates to any daemon that you want to authorise to do some limited
task.
I meant that you can't use proxy certs for your own use, so you still needto store your own cert/key somehow...and I still believe that the kernelkeyring is the best place...
Agreed. Now, reread what I said above, and tell me why this is an
argument for doing dsa in the kernel?

If you agree that the kernel keyring is the best place, it shouldn't bea big step to also agree that in-kernel signing is "good" since itallows you to use the key while it makes it possible for the kernel torefuse to divulge the private part...even to the user who added the key(i.e. yourself)...

...and what does this statement about "keys being safer in the kernel"
mean?
swap-out to disk, ptrace, coredump all become non-issues. And incombination with some other security features (such as disallowingmodules, read/write of /dev/mem + /dev/kmem, limited permissions viaSELinux, etc), it becomes pretty hard for the attacker to get yourprivate key even if he/she manages to get access to the root account.
Turning off coredump is trivial. All the features that LSM provide apply
to userland too (including security_ptrace()), so the SELinux policies
are not an argument for putting stuff in the kernel.

Only the swap-out to disk is an issue, and that is less of a worry if
you use a time-limited proxy in the daemon.

How do you use a "time-limited proxy in the daemon" for your ownkeys/cerificates (e.g. ssh keys)?


Re,
David

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Follow-Ups:
- Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: Trond Myklebust <[email protected]>

References:
- [PATCH 01/04] Add multi-precision-integer maths library
  - From: David Härdeman <[email protected]>
- Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: David Howells <[email protected]>
- Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: David Härdeman <[email protected]>
- Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: Adrian Bunk <[email protected]>
- Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: David Härdeman <[email protected]>
- Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: Trond Myklebust <[email protected]>
- Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: David Härdeman <[email protected]>
- Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: Trond Myklebust <[email protected]>
- Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: David Härdeman <[email protected]>
- Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
  - From: Trond Myklebust <[email protected]>

Prev by Date: Re: [PATCH 01/04] Add multi-precision-integer maths library
Next by Date: Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
Previous by thread: Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
Next by thread: Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]