| gabriel rosenkoetter on Mon, 8 Jul 2002 14:46:21 -0400 |
|
On Mon, Jul 08, 2002 at 02:05:39PM -0400, Jesse Schultz wrote: > If I act as my own CA with exactly 3 certificates to people I know well? You've still got a single point of failure and attack in your CA. So you'd better be *really* careful about the security on that system and also be sure that it's extremely reliable. You can do this, but PKI provides (imho) adequate security without the intervention of a trusted intermediary. > Personally I don't trust the verification methods for either verisign > 14.95 specials or the Thawte web of trust. But how does mallory get > into a small tightly controlled CA. By exploiting that system. (Even a DoS on that system would be sufficent.) Bear in mind that the vast majority of security compromises still happen from within the company, so protecting this machine at your border firewall isn't enough. [Radius] > Guess I should play with this to. Radius hosts have all the same single-point-of-foo problems that CAs do, of course, and the same "keep them secure" provisos (provisi?). I'm looking at using Radius because its benefit--not having to maintain separate user accounts across various architectures, much less across various Unix machines--is enough of a gain that I'm willing to accept the pain of protecting this machine. I'm not convinced that using a CA provides me enough of a benefit to warrant the maitenance time. You may well decide differently. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgp9Tj80lB1eB.pgp
|
|