Superconductor

Iñigo Montoya: "You keep using that word. I do not think it means what you think it means."

The Princess Bride (movie version only - it's not in the book)

Key management is a hot topic these days. The need to be regulatory compliant has driven the adoption of encryption, and with the use of encryption has come the need to manage the cryptographic keys that are used to encrypt and decrypt data. Encryption has always been a fairly arcane subject, but it's apparently even more difficult than you might first think. Maybe it's just more difficult that I might first think, but I probably have a fairly biased point of view from having worked in the information security industry for roughly 20 years.

I recently talked to a person who works for a large bank who was having a hard time getting upper management to understand some of the issues related to key management. In particular, this particular bank had decided that they needed to store their digital certificates in a very secure location. Why? Because a certificate contains a public KEY, so it needs to be protected just like any other key does. The argument from the security person that a certificate actually contains a PUBLIC key apparently fell on deaf ears, so now this particular bank is now keeping their certificates really secure.

I have to wonder if the troublesome management could be swayed by the argument that the LDAP server storing the certificates is actually secure enough because it's behind a locked door. Maybe I'll mention that possible strategy the next time I get a chance.