Date: Tue, 30 Sep 1997 14:26:34 +0200 (MET DST) From: Eivind Eklund <perhaps@yes.no> To: Jeremy Lea <reg@shale.csir.co.za> Cc: mike@smith.net.au, peter@grendel.IAEhv.nl, chat@FreeBSD.ORG Subject: Re: Microsoft brainrot (was: r-cmds and DNS and /etc/host.conf) Message-ID: <199709301226.OAA22862@bitbox.follo.net> In-Reply-To: Jeremy Lea's message of Tue, 30 Sep 1997 10:07:11 %2B0200 References: <19970930011555.61645@grendel.IAEhv.nl> <199709300220.LAA02242@word.smith.net.au> <19970930100711.04631@shale.csir.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
[Jeremy Lea] > A little thought says the primary weakness is that root@foo.bar's secret key > must be available to it in some open form, along with admin@bar's at various > times in the Java applet, and if they can be stolen then you have a hole. > But this is a known attack on PGP (and family), and if you are having this > kind of data snooped then you have probably already lost the battle. I dislike this part of it intensely, because PGP keys are usually more permanent entities than passwords. A malicious Java applet could get hold of my key, and probably also the rest of my files (given that it had access to get at the key). Mike are creating an infrastructure that hopefully will make many people create modules, thus making this a glaring hole. I'd much rather send my root password (over SSL) - that way, I can at least use S/Key. However, if we're going to use Java anyway, there are lots of crypto we could use - but will this be the easiest way of implementing the interface? Eivind.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709301226.OAA22862>