Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer mathslibrary

From: Trond Myklebust
Date: Sat Jan 28 2006 - 22:19:19 EST


On Sat, 2006-01-28 at 17:57 +0100, David HÃrdeman wrote:

> What about the first paragraph of what I wrote? You are going to want to
> keep often-used keys around somehow, proxy certificates is not a
> solution for your own use of your personal keys and with the exception
> of hardware solutions such as smart cards, the keys will be safer in the
> kernel than in a user-space daemon...

I don't get this explanation at all.

Why would you want to use proxy certificates for you own use? Use your
own certificate for your own processes, and issue one or more proxy
certificates to any daemon that you want to authorise to do some limited
task.

...and what does this statement about "keys being safer in the kernel"
mean?

> Further, the mpi and dsa code can also be used for supporting signed
> modules and binaries...the "store dsa-keys in kernel" part adds 376
> lines of code (counted with wc so comments and includes etc are also
> counted)...

Signed modules sounds like a better motivation, but is a full dsa
implementation in the kernel really necessary to achieve this?

Cheers,
Trond

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/