securing FAS certs
Toshio Kuratomi
a.badger at gmail.com
Thu Aug 21 20:22:28 UTC 2008
Mike McGrath wrote:
> On Thu, 21 Aug 2008, Ricky Zhou wrote:
>
>> On 2008-08-21 02:21:34 PM, Mike McGrath wrote:
>>> I've never actually used a crypto card... Do they add additional security
>>> if they're sitting in a colo always plugged in? If so how do they do
>>> that?
>> I might be wrong, but I think with such a card, encryption/signing takes
>> place entirely on the card, and thus the secret key is never transferred
>> anywhere off the card.
>>
>
> Ah, so the theory being that if someone happens to hit us, they're only
> hitting us for as long as the machine is up / card is in. And I assume
> the card actually tracks serial numbers and things so we can revoke
> anything that was signed in a questionable time?
>
That seems like it would work well. Jesse's been having troubles
obtaining the card he wants, though (and his is a gpg card, not for ssl
certificates).
the big thing might be having open source drivers.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080821/331db8a3/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list