On Fri December 26 2008, Edward Diener wrote: > Kyle Hamilton wrote: > > > > If your company hires a security consultant, s/he will state the same thing. > > Thanks for your help but right now I am the programmer and "security > consultant", and therefore I must come up with security answers. > Nonetheless I will mention to my employer that he might want to hire > another person as a "security consultant" to deal with server side > security issues. >
And that is one of the problems which people are trying to describe. Where the application coding can be split between server and client side coding - (and evidently has been, you have the client side chore). The system security plan can not be split, it must encompass the application as a whole, end-to-end. Note I write: "plan" - the coding that implements the plan can be split, just the plan can not be. And unfortunately for yourself, you can't fix things from the client side only. ;) - - - - From a business stand point, there is another significant problem lurking here - If the system was sold along the lines of argument: "Buy our xyz and you can be sure the information in the system is secure." The the customer can reasonably expect the firm making the sale under such logic to be responsible for any security failures. Now consider some scheme that involves a client-side private key - - Perhaps, the application generates a key-pair, has the server sign the certificate request - something, anything, that results in a client side, private key - - If any of the clients fail to preserve and protect that client side private key - Then the information stored by the application is subject to compromise. I.E: the actual failure point is on the client side - But the liability remains with the provider of the system. Ouch. (You can't ask the Fox to protect the Chicken House.) A similar case can be made for a system that does not use a client side private key but requires protection of the public key materials on the client side. We can all hope that the legal department did a better job of drawing up the sales contract than that done by the application security planner. ;) Mike > > > > -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
