Also, what maybe I wasn’t clear here - that is the ‘verification is local - say a local app’, if the machine has been compromised - the binary can be edited to remove the security check - no need to even have the dongle - thus the requirement for an external resource being protected.
> On Oct 15, 2018, at 7:12 PM, Christopher Nielsen <m4dh4t...@gmail.com> wrote: > > On Mon, Oct 15, 2018 at 4:33 PM robert engels <reng...@ix.netcom.com> wrote: >> >> To clarify, this is for a hardware device that protects a local resource - a >> network based protocol that challenges the device for access is a different >> story, and yes, when properly implemented is secure (unless someone steals >> your device! - which is why it is usually password + device, and then you >> are back to the same problem of compromising passwords when root access has >> been compromised). > > This statement indicates to me you don't understand how hardware > security tokens work. It doesn't matter if you have root access. You > cannot obtain key material from it. If you lose it, you lose the set > of keys on it. That's it. Revoke them and issue new ones using your > root cert/key that never touches a networked system and lives in a > safe. > > -- > Christopher Nielsen > "They who can give up essential liberty for temporary safety, deserve > neither liberty nor safety." --Benjamin Franklin > "The tree of liberty must be refreshed from time to time with the > blood of patriots & tyrants." --Thomas Jefferson > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
