WebApp Sec mailing list archives
Re: key storage
From: George Capehart <gwc () acm org>
Date: Thu, 2 Sep 2004 18:27:39 -0400
On Tuesday 31 August 2004 09:42, Roman Fail allegedly wrote:
Wouldn't it be a better practice to have all the encryption/decryption occur on the proxy machine itself?
Rule of thumb: The piece of the system that has the most vested interest in the CIA (confidentiality, integrity and availability) of the data should be where CIA mechanisms are applied. Put another way, if the data needs to be encrypted, the piece of the system that produced the data should be the piece that encrypts it. The piece of the system (service) that has the most vested interest in the CIA of incoming data (and the authenticity of the sender and whether the authenticated sender has the authority to request the service) should be where the sender is authenticated and authorized and where the CIA of the data are validated . . . The proxy is most probably in the DMZ, too. In the trust hierarchy, the DMZ is, at best, just slightly more trustworthy than the hinterlands, but not by much. Cheers, George Capehart -- George W. Capehart Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA "With sufficient thrust, pigs fly just fine." -- RFC 1925
Current thread:
- Re: key storage, (continued)
- Re: key storage George Capehart (Aug 26)
- Re: key storage George Capehart (Aug 27)
- RE: key storage Brown, James F. (Aug 27)
- RE: key storage Ajay (Aug 28)
- RE: key storage Brown, James F. (Aug 30)
- RE: key storage Ajay (Aug 30)
- RE: key storage Brown, James F. (Aug 30)
- RE: key storage Scovetta, Michael V (Aug 31)
- RE: key storage Roman Fail (Aug 31)
- RE: key storage Ajay (Aug 31)
- Re: key storage George Capehart (Sep 02)
- RE: key storage Mark Curphey (Sep 05)
- RE: key storage Frank Knobbe (Sep 04)
- RE: key storage Frank Knobbe (Sep 04)
- Re: key storage George Capehart (Sep 04)
- Re: key storage Frank Knobbe (Sep 04)
- Re: key storage George Capehart (Sep 04)
- Re: key storage Ajay (Sep 05)