On Tue, Apr 21, 2009 at 01:22:01PM -0400, Edward Lewis wrote: > same fortifications. "Breaking the database" security won't make getting > to the key any easier, i.e., the database does not contain the > information needed to access the key.
If the database does not contain the information needed to access the key -- which actually means "does not contain the key", since if the database contains the key it contains the information needed to access the key -- then you have just built your own HSM-like device (except that it implements some of the components in software instead). Now your only problem is trying to prove that your system is as secure as the alternative, which is just buying an HSM. HSMs aren't just expensive because of the unusual hardware they contain. The testing of them to prove they meet all those big standards most of us haven't read is expensive and time consuming (and risky, if you find your device fails). If the database _does_ contain the key, then the only question is whether there is an escalation attack that can get an attacker the privileges needed to access the key. One such escalation attack, of course, is "get hired and have access to the superuser account." I'm aware of how the accounting systems catch such access. I'm also aware of how such access accounting breaks down. Anyway, I completely agree that this is a cost-benefit analysis that different sites have to do based on their use cases. A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
