To SecretStore or Not to SecretStore
Novell Cool Solutions: Tip
Digg This -
Posted: 23 Apr 2003
Here's a good question:
Given that SecureLogin can be installed with SecretStore and also without using SecretStore, what would be the advantages of either way?
And here's a good answer, supplied by some that are much smarter than us:
In a nutshell, there are two main technical differences between eDirectory and SecretStore implementations of Novell SecureLogin:
- SecretStore is encrypted using NICI, and eDirectory is encrypted using Protocom's encryption engine. Protocom uses "workstation side" encryption. NICI is both client and server encryption. NICI is export-certified to most countries. NICI encryption can be variable per system, so it's not necessarily stronger than what Protocom uses.
- SecretStore and eDirectory implementations of NSL both store user names and passwords as attributes on the user. The SecretStore attribute is hidden, and can only be seen using the SecretStore utilities; the Protocom (eDirectory) attribute is not hidden but strongly encrypted.
You only need SecretStore is when you want to share passwords with Portal or iChain.
Here's another tip, added by John Clark
There is one more functional difference between SecretStore and native SecureLogin encryption that could affect a customer's decision...
The feature is intended to address the problem that occurs when a user forgets his/her eDirectory password AND SecureLogin Passphrase Answer. With SecretStore, it is possible to configure special SecretStore Administratior accounts with the right to unlock a user's SecretStore.
Ideally, this unlock occurs in two steps: first, the helpdesk password administrator resets the user's eDirectory password, then if the user doesn't remember (or doesn't want to bother with) the Passphrase Answer, the unlock request is passed to the SecretStore administrator who issues the SecretStore Unlock command. Because SecretStore has been unlocked, SecureLogin is then able to retrieve the information needed to complete the unlock without prompting the user for her passphrase answer.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com