This proposal is very similar to Plan 9's "factotum" scheme (see http://qedragon... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		rntz on April 13, 2014 \| parent \| context \| favorite \| on: Webservers shouldn't have direct access to keys This proposal is very similar to Plan 9's "factotum" scheme (see http://qedragon.livejournal.com/99938.html for a nice explanation with reference to Heartbleed; factotum is similar to a generic ssh-agent or gss-proxy), except proposing that the daemon run as a separate user, which is a reasonable extra layer of security that deals with some remote-code exploits.

remosi on April 13, 2014 [–]

Yeah, I was aware of factotum when I wrote this post. GNOME uses p11-kit (which is a wrapper around PKCS#11) and gnome-keyring to kinda provide similar functionality.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact