Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I am working with a security person that baffles me a bit with the practices he

ID: 655607 • Letter: I

Question

I am working with a security person that baffles me a bit with the practices he performs. Besides the issue of this person insisting on bypassing every security measure in place we have got into it about handling private keys and certificates.

So this is my perspective of best practices in regards to web servers: When generating private keys it is best to generate them where they will be used and never move them to any other system, if at all possible. From this point generate a CSR from the server with it, to get a signed certificate. At this point the private key is never exposed to anything but the server that originally generated it, therefore there is no chance a hacked laptop or share might expose it.

This makes sense to me, however this security person seems to prefer generating the private key on a system he controls, then transfer this to whatever system needs it. This seems to extend the risk by having the private key in more then one spot as well as a lot more work with no benefit that I can see.

Am I missing anything with this? Other than common practice, is there a reason I am not seeing for this to be done?

Explanation / Answer

As long as the machine in question has enough entropy to generate strongly random keys and nonces, that's totally correct. The key must never leave that server. Even more, if I were working on a critical application, I wouldn't even trust that machine and keep the key in a HSM. It might cost a lost, but it significantly enhances the security.

There is a broad spectrum of security practices, going from the best case above, to the worst possible situation, which appears to be your case. Either your colleague has a specific reason for doing so or he/she is putting the security of your applications at risk. Immediately confront him/her. If I were in charge, I would fire that "security" person at once.

Related Questions

I am working on my Resistor.cpp file (I have the Main.cpp and the Resistor.h fil
Question #3527371
I am working on my reverse function, but still didn\'t work, somebody can look m
Question #664932
I am working on one of my projects where users don\'t need to register or login
Question #656052
I am working on physics electromagnetic induction. I am prepapring for an experi
Question #1976182
I am working on question number 10 is 33 kJ mol-. Calculate the boiling point of
Question #556306
I am working on reverse polish notation calculator assignment in java for school
Question #3859300
I am working on reverse-engineering and need to write a C translation of the NAS
Question #3817706
I am working on small project. There is an organization in which it has 100 arou
Question #653423
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I am working with a project that uses structures and arrays. My main code works
Next
I am working with a serial code and trying to parrallize it. The code is suppose

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.