My friend, Alun Jones, MS Security MVP, has a great post on ten cryptographic key truths, followed by ten other key facts about cryptography.
Here are the first five:
- Your private key has to be private to you. It cannot be created by anyone else.
- Anyone who has your private key is you, for the purposes to which that key is applied.
- If you have a private key that was generated by your employer, then that key identifies you as a part of the employer. It cannot be used to uniquely identify you, because the key was generated under your employer's control.
- Keys associated with expired or revoked certificates are not always useless - you can use them to decrypt a file that they encrypted a long time ago; you can also verify the time-stamped signature of a document, if the certificate was valid at the time of the signature.
- A key is a number - it cannot expire, it is the associated certificate that expires. Similarly, the certificate, not the key, is what is revoked after exposure.
Read Alun’s article for the rest of the list (I wish more people took these truths to heart).
No comments:
Post a Comment