On Dec 20, 2007 3:52 PM, Andrew Sullivan <ajs@crankycanuck.ca> wrote:
> On Thu, Dec 20, 2007 at 03:35:42PM -0500, Merlin Moncure wrote:
> >
> > Key management is an issue but easily solved. Uber simple solution is
> > to create a designated table holding the key(s) and use classic
> > permissions to guard it.
>
> Any security expert worth the title would point and laugh at that
> suggestion. If the idea is that the contents have to be encrypted to
> protect them, then it is just not acceptable to have the encryption keys
> online. That's the sort of "security" that inevitably causes programs to
> get a reputation for ill-thought-out protections.
right, right, thanks for the lecture. I am aware of various issues
with key management.
I said 'simple' not 'good'. there are many stronger things, like
forcing the key to be passed in for each invocation, hmac, etc. etc.
I am not making a proposal here and you don't have to denigrate my
broad suggestion on a technical detail which is quite distracting from
the real issue at hand, btw. I was just suggesting something easy to
stop casual browsing. If you want to talk specifics, we can talk
specifics...
merlin
