Jeffrey D. Smith wrote:
[...]
How about key IMPORT ? Could I keep the key in encrypted form and import
it from CKDS ?
Of course, but you can't use CPACF in that case.
I can use both: ICSF for key extract and CPACF.
BTW: I understand "using CPACF" as using CPACF directly OR via ICSF API.
[...]
The RACF support in ICSF restricts access to the services, but not the
resource being ciphered. That is a HUGE difference.
RACF restrict acces to both services and keys as well.
ICSF issues security calls for services and keys. That's not my point.
ICSF does nothing to protect the ciphered resource. *Both* the ciphered
resource and the key that ciphers it must be protected through a single
point of access.
Now I understand your point! You want to tie protection of key with
protection of the resource. This is very interesting approach. However I
cannot agree with the "must" keyword as a general rule. Why ???
[...]
I think there is a language barrier here. My point is that there is
no point in preventing/restricting acccess to the ICSF ciphering
functions. The vast majority of encryption needs involve ciphering
data. With CPACF, there is no need to use ICSF. Thus, applying security
controls to ICSF ciphering is useless. A program can directly use CPACF
instead of ICSF.
Even if CPACF would be unavailable, I don't think, that any function
should be restricted. We don't restrict READ, but we control a dataset
which can be read. Everyone can add, multiply, divide, etc. so why to
deny encryption as a function ?
[...]
So, if you are forced to use a 3rd party key management system, you have
no need for ICSF.
Wrong assumption - maybe people are not forced to use 3rd party KMS.
Sometimes people use ICSF with TKE workstation.
TKE is not a key management *system*. It is a trusted key entry device.
That has nothing to do with managing the use of keys.
TKE is for key entry. Key entry is part of key management (this is
matter of definition). Sometimes this part of key management is enough.
Sometimes even TKE is not needed.
Regards
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
