----- Original Message -----
From: "Mark O'Donohue" <mark.odonohue@...>
To: <IB-Architect@egroups.com>
Sent: Wednesday, January 10, 2001 10:52 AM
Subject: [IB-Architect] Re: Re: Nailing down the external file problem.


>
>
> >Considering that no system is safe, Phil Zimmerman
> >(creator of PGP), repeatedly points out in his PGP documentation that you
> >are responsible for the safety of your computer. PGP trusts that the
system
> >is free of virus and trojans and so makes
> >no effort to defend itself from these aggressors.
>
> I agree, thats why on your server its not fatal to have private
keys/passwords stored in the clear. Thats how your web server works.
>
True. A key component of computer security is the armed guard right besides
the machine. :-)

>
>
> >I've been working in a PKI related project for over 3 years now.
>
> Well it looks like we have good company to assist with the design, review
(and coding ;-).
>

I wish I could be of more help in coding, however, to say that my C is rusty
would be incredibly flatering to my skills. :-(

> >Only
> >recently I've come to understand that you are never paranoid enough to
stop
> >everyone and that there is a point where you might actualy stop yourself
and
> >your system with too much security complexity without actually achieving
> >your goal of stopping invasion.
>
> Most companies do that when they install a firewall and chop off all the
ports, suddenly ftp doesnt seem to work etc etc ;-).
>

Don't I know it. I can't even reply to this group from work without having
to resort to the web interface.

> >It seems that
> >Oracle started down this path but in a road full of bumps. (I've heard
> >several serious security problems related, including one where you are
> >allowed to upload Java code that will have complete access to the data
in
> >the database and can so return such data to you, even though you do not
> >access previleges to that data.
>
> I think Oracle are firing in all directions at once, certainly from what
I've seen, and Im not supprised they shoot themselves in the foot
occasionally. I think we would require all UDF and java code to be provided
on the server, and placed there by the SYSDBA.

This sounds quite good. If IB goes the way of a PKI solution for security
we could have different certificate levels for users and administrators.
Not just assigned privileges, but actualy a different certificate class.
I'm not sure if I make my self clear.

If you have a user certificate, you'll never be able to receive
administrator privileges. You would need a new certificate.

> 3DES seems to be acceptable for storing passwords. commerically (banks
seem to be happy with it ;-, Speak any of the others and they seem to get
itchy feet (only my experience). But SSLEAY and others usually come with a
range of cypher routines, so it can be made configurable. (Does anyone
remember the name of the recent DES replacement, was it the french one?, I
think TwoFish was also a candidate?).

You should listen to the other side talk about it. It might be very well
that banks trust 3DES, however, once you see a professional hacker snap his
lips from d iscovering that "it's a simple DES variation..." - well you'll
never trust your bank too much again. :-)

I've seen this in the flesh...

> >One cheap alternative hardware nowadays is the mini-key.
>
> Haven't heard of that one, is it the "tag" type one that clicks into the
serial port, sort of like those software copy protection lock devices used
to?
>
Very close. The implementation is similiar to the smart card aproach,
however it plugs into your USB port. It has a built in processor for
signing, encrypting, etc. It neetly goes on your key ring.

> Realistically a software solution will work well, and can easily be
expanded to support hardware devices.

I totally agree.

>
> I agree, I also think we have to do it to get us back some credibility.
>
Agreed. We happen to be the object of the very first CERT warning of 2001.
Not good.

> SSLEAY also has SSL (and the new one as well (is it TLS?)). Also need to
check out openssl which as I said is the successor..
>

I believe OpenSSL picked up just where SSLEAY left off. I'm not exactly
sure on this though.

Best regards,

Mauricio Longo