Old topic ssl private key with passphrase

Dear nginx developers.

What is necessary that you take hands on the topic ‘private key
passphrase’?

e.g.: http://trac.nginx.org/nginx/ticket/433

[ ] donation
[ ] time
[ ] leasure
[ ] other: …

Maybe not as much options as in apache httpd

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog

but at least one.

I found this entry in the ml from 2012, is this a possible solution for
nginx OSS core?

http://marc.info/?t=131494347400003&r=1&w=2

Maybe you can start again a nginx deployments survey as in 01.2013,
to see what a year later the new or old goals of the nginx community is.

http://mailman.nginx.org/pipermail/nginx/2013-January/037113.html

Best regards
Aleks

On Wednesday 23 April 2014 17:34:10 Aleksandar L. wrote:
[…]

Maybe you can start again a nginx deployments survey as in 01.2013,
to see what a year later the new or old goals of the nginx community is.

http://mailman.nginx.org/pipermail/nginx/2013-January/037113.html

There is one already started:
http://nginx.com/blog/think-nginx/

wbr, Valentin V. Bartenev

Hello!

On Wed, Apr 23, 2014 at 05:34:10PM +0200, Aleksandar L. wrote:

Maybe not as much options as in apache httpd

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog

but at least one.

Igor explained his position on this more than once: unless you are
actually using something external to enter key passwords, there is no
difference with unencrypted keys from security point of view
(assuming proper access rights are used for keys). And as far as
we know, no or almost no users of Apache’s SSLPassPhraseDialog use
it this way, most just use “echo ‘password’” or something like.

So the question is: why do you need it?

(I’m aware of at least one more or less valid answer which almost
convinced me that we should add it, but it’s not about security,
but rather about social engineering.)

I found this entry in the ml from 2012, is this a possible solution for
nginx OSS core?

http://marc.info/?t=131494347400003&r=1&w=2

No.


Maxim D.
http://nginx.org/

Hi.

Am 23-04-2014 18:19, schrieb Maxim D.:

Hello!

On Wed, Apr 23, 2014 at 05:34:10PM +0200, Aleksandar L. wrote:

Dear nginx developers.

What is necessary that you take hands on the topic ‘private key
passphrase’?

[snipp]

Igor explained his position on this more than once: unless you are
actually using something external to enter key passwords, there is no
difference with unencrypted keys from security point of view
(assuming proper access rights are used for keys). And as far as
we know, no or almost no users of Apache’s SSLPassPhraseDialog use
it this way, most just use “echo ‘password’” or something like.

Full ack ;-/

I also agree that this is a very hard task.

So the question is: why do you need it?

If you want to get a specific certificate for some standars.

(I’m aware of at least one more or less valid answer which almost
convinced me that we should add it, but it’s not about security,
but rather about social engineering.)

Maybe some standards could be a valid reason.

https://en.wikipedia.org/wiki/PCI_DSS

https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

e. g.

8.2
Employ at least one of these to authenticate all users: password or
passphrase; or two-factor
authentication (e.g., token devices, smart cards, biometrics, public
keys).

BR
Aleks

Igor and Maxim positions, I suppose, are based on the fact that, unless
using an external system to authenticate the user of a certificate,
storing
both certificate + passphrase on thel same system, accessed by the same
user (the one running nginx which loads the certificate and needs to
decrypt it) has the same level of security that dealing with an
unencrypted
certificate and provide a false sense of securilty.

Isolation of independent parts of a security system is a very basic
notion
of security based on common sense. The standards you quote are based on
those.

B. R.

Hello!

On Wed, Apr 23, 2014 at 08:32:57PM +0200, Aleksandar L. wrote:

passphrase’?
Full ack ;-/

I also agree that this is a very hard task.

So the question is: why do you need it?

If you want to get a specific certificate for some standars.

Well, that’s not about security either, and completely
non-technical.

I’ve seen “certifications” requiring to use software with known
remote code execution vulnerabilities, and I’m quite sceptical
about doing something just because of certification requirements,
without understanding the reasons behind them (if any).

Anyway, if you know a standard which requires storing of
keys in password-protected forms only - please point it out.

e. g.

8.2
Employ at least one of these to authenticate all users: password or
passphrase; or two-factor
authentication (e.g., token devices, smart cards, biometrics, public keys).

This doesn’t look related at all. It’s about authentication of
users, not about storage of private keys.


Maxim D.
http://nginx.org/

Hi.

Am 24-04-2014 10:54, schrieb Maxim D.:

Hello!

On Wed, Apr 23, 2014 at 08:32:57PM +0200, Aleksandar L. wrote:

Hi.

Am 23-04-2014 18:19, schrieb Maxim D.:

[snipp]

remote code execution vulnerabilities, and I’m quite sceptical
about doing something just because of certification requirements,
without understanding the reasons behind them (if any).

Anyway, if you know a standard which requires storing of
keys in password-protected forms only - please point it out.

Okay.

BR Aleks

Am 23-04-2014 18:06, schrieb Valentin V. Bartenev:

There is one already started:
http://nginx.com/blog/think-nginx/

Sorry how could I missed this :wink:

BR Aleks

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs