<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: CIPE source code modifications
From: Wolfgang Ocker <weo,AT,web-alm,DOT,net>
Date: Wed, 19 Mar 2003 00:03:04 +0100
In-reply-to: <3E62A96A.9080905@ceag.ch>

Damion,

first let me thank you for your great work on CIPE for Windows! It is
extremely useful for our customers and ourselves.

On Tue, 2003-03-18 at 21:15, Damion K. Wilson wrote:
> 2. I disagree with the asterisk representation. It's too hard for the 
> administrator to confirm that he/she has it done right. 

In case you suspect that the key is wrong you can transfer the key using
cut & paste. But even this can be improved by reading the key into the
input field from a file (e.g. the options file from the peer Linux
system) -- Carsten is working on this.

> I repeat it is NOT A 
> PASSWORD AND IT IS STORED IN CLEARTEXT ! 

I've done several evaluation installations of CIPE on Windows for
customers during the last weeks. The users' major complaint is that the
encryption key is too easy to retrieve by non-authorized persons. The
first idea for a solution was to display the asterisks instead of the
key. Now it's much better: the key stored in the registry is protected
by a passphrase.

> If you have problems with this 
> representation then you need to chase it up with Olaf. I am strongly 
> disinclined to merge this feature as the stated mandate of this project is 
>to 
> follow Olaf's direction.

The situation on Linux is pretty much different than on Windows. On
Linux, there's no world readable registry where the key is stored.

>  It appears that the way forward with this is pkcipe.

Even with pkcipe you have to protect the private key somehow.

Wolfgang





<< | Thread Index | >> ]    [ << | Date Index | >> ]