NYCPHP Meetup

[tedd]

At 12:31 PM -0400 8/4/06, Dan Cech wrote:
>That is pretty much the problem in a nutshell.  Any kind of 2-way
>encryption on a single server is going to require that the key be
>present on the system and therefore vulnerable to attack.

Excuse me for my ignorance, but isn't there some sense of security in 
placing the key in a directory that's protected by the path to the 
directory (not root), permissions, and .htacess?

Granted that's not prefect, but what is?

I've read Shiflett's book on security and even he states that a 
hardware key provides the "best" security, but adds "for those who 
can afford it".

It is plausible for the client/provider to agree on a verbal key and 
not have it on the server, like a password? Once you hash a "strong" 
password, it becomes pretty hard to crack it.

I don't know, just asking for discussion.

  tedd

-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com