Hi Stan, You guessed it: I train the client to keep the private key in a text file on their own desktop or someplace safe locally.
Let me back up a step: First thing I do is build a cf template that generates public and private keys, and shows those keys to the client via an ssl connection. The template generates the keys and the client -- at their physical office location -- plants the public key into a form field that then stores it onto the server, also on ssl. They take the private key and copy it to a local text file. When they come back the next day to their app they have to go to an 'input your key' form (ssl again) where they paste in the private key. I then take that value and store it in a session cookie... NOT a regular cookie as that gets stored on the local HD, and not a client variable since that gets stored on the server where it can be harvested by a hacker from the client variable db(!). Using a session cookie also has the secondary effect of killing the key when the browser is closed, and keeping it clean off the server even after its instantiated. I could use session vars but my app doesn't use CF session mgmt to maintain state. If the client is a basket case and I have to generate keys for them I mail the key to them on a disk. As you can guess none of this is convenient, but I tell the client this is the tradeoff for true security, exhibition of due diligence and limitation of liability. Explaining how doing this right helps keep them from losing a lawsuit always gets their attention. Cheers, ------------------------------------------- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com ------------------------------------------- ---------- Original Message ---------------------------------- From: Stan Winchester <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 20 Jun 2003 19:59:37 -0400 >Matt, > >Is there a “best practice” to store/implement the private key for cfx_textcrypt? I >know the private key is one of the major keys to security of the process, and my best >guess must not be stored on the server. How do you store/implement the private key? > >Stan Winchester >AfterShock Web Design, LLC >[EMAIL PROTECTED] >http://www.aftershockweb.com/ >Tel. 503-244-3440 >Fax 503-244-3454 > >>Encrypt the data. Don't rely on either CF or mySQL's encryption if >>you can all possibly avoid it. My personal favorite encryption method >>is cfx_textcrypt from http://perthweb.developer.com.au but I'm sure >>others on the list have favorites of their own. >> >>------------------------------------------- > >>Matt Robertson, [EMAIL PROTECTED] > >>MSB Designs, Inc. http://mysecretbase.com >>------------------------------------------- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
