[ale] Key management

Michael H. Warfield mhw at WittsEnd.com
Wed May 14 15:22:38 EDT 2008


On Wed, 2008-05-14 at 11:01 -0700, Kevin O'Neill Stoll wrote:
> We are saying the same thing, just worded diff.
> 
> Problem being, I don't want to have to distribute O's pub
> key manually to a dozen or 12 dozen sources.

> In the case of a pks, I would just configure the S clients
> to lookup against an internal pks for the O pub key,
> instead of manually placing a copy locally with each S.

	Thinking about this more...  You have to distribute something anyways,
the key, the code, the configuration.  All seems to amount to the same
thing.  Put the PGP key on a secure web server and have the code
download it the first time.  You have to set up the process at the
remote end to encrypt the data anyways, have the process download the
key from any trusted source you like, secure web server, ldap, pgp
keyserver, whatever.

	Mike

> And in reverse, O could lookup the pub key of the signer to
> validate the origin.
> 
> 
> 
> --- "Michael H. Warfield" <mhw at wittsend.com> wrote:
> 
> > Hello,
> > 
> > On Wed, 2008-05-14 at 09:26 -0700, Kevin O'Neill Stoll
> > wrote:
> > > Hey guys,
> > 
> > > Need some help with direction on encryption 
> > 
> > > Goal: I need to encryption plain text files while at
> > rest.
> > > One use case would be: files are received via ftp from
> > > various banks and should/could be encrypted with gpg
> > with
> > > the recipient defined as the consuming application, in
> > this
> > > case, Oracle Financials.
> > 
> > > Problem: the consuming application will be receiving
> > > encrypted files from many sources, not just the ftp
> > host,
> > > so Oracle Financials has to know about a great many
> > public
> > > keys, assuming the use of gpg. How do I got about
> > managing
> > > these keys in a central way?
> > 
> > 	Either I don't understand your application or you have
> > this completely
> > upside down.  "Oracle Financials" only needs one key, its
> > private key.
> > All the other parties will have the public key and
> > encrypt the data to
> > that public key.  Then, only Oracle Financials will be
> > able to decrypt
> > the files once it receives them.
> > 
> > 	So, I'm assuming that originating source "S" encrypts to
> > key "O" and
> > then the data is transferred to "O" through some means
> > involving some
> > resting data at each end.  "O" can then decrypt the data
> > as needed and
> > when needed and the data remains encrypted on storage. 
> > "S" would then
> > have no means to even decrypt the data that they
> > generated unless they
> > added their own key (and a wise move would be to also
> > sign the data for
> > authentication purposes) or kept a copy for themselves
> > (very unwise).
> > 
> > > I have looked into pks and sks, but catch here is they
> > > wanted something supported by our vendors (SuSE in this
> > > case).  
> > > 
> > > So, how do I manage a bunch of keys like this?
> > > 
> > >  
> > > If you don’t think gpg is the answer, I’m open to
> > ideas.
> > > I’m not stuck on anything at this point, just trying
> > to
> > > figure out how to roll an encryption solution that I
> > can
> > > ultimately hand off to an operations group and can
> > scale /
> > > support 500+ end-points.
> > > 
> > > Also, not afraid of commercial solutions but would like
> > to
> > > exhaust any and all oss solutions first.
> > > 
> > >  
> > > Thanks 
> > > 
> > > PKS: http://pks.sourceforge.net/
> > > 
> > > SKS: http://www.nongnu.org/sks/
> > > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > >       
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > 
> > -- 
> > Michael H. Warfield (AI4NB) | (770) 985-6132 | 
> > mhw at WittsEnd.com
> >    /\/\|=mhw=|\/\/          | (678) 463-0932 | 
> > http://www.wittsend.com/mhw/
> >    NIC whois: MHW9          | An optimist believes we
> > live in the best of all
> >  PGP Key: 0xDF1DD471        | possible worlds.  A
> > pessimist is sure of it!
> > 
> > > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > 
> 
> 
> 
>       
> 
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20080514/3fe38982/attachment.bin 


More information about the Ale mailing list