Igor explained his position on this more than once: unless you are
actually using something external to enter key passwords, there is no
difference with unencrypted keys from security point of view
(assuming proper access rights are used for keys). And as far as
we know, no or almost no users of Apache’s SSLPassPhraseDialog use
it this way, most just use “echo ‘password’” or something like.
So the question is: why do you need it?
(I’m aware of at least one more or less valid answer which almost
convinced me that we should add it, but it’s not about security,
but rather about social engineering.)
I found this entry in the ml from 2012, is this a possible solution for
nginx OSS core?
On Wed, Apr 23, 2014 at 05:34:10PM +0200, Aleksandar L. wrote:
Dear nginx developers.
What is necessary that you take hands on the topic ‘private key
passphrase’?
[snipp]
Igor explained his position on this more than once: unless you are
actually using something external to enter key passwords, there is no
difference with unencrypted keys from security point of view
(assuming proper access rights are used for keys). And as far as
we know, no or almost no users of Apache’s SSLPassPhraseDialog use
it this way, most just use “echo ‘password’” or something like.
Full ack ;-/
I also agree that this is a very hard task.
So the question is: why do you need it?
If you want to get a specific certificate for some standars.
(I’m aware of at least one more or less valid answer which almost
convinced me that we should add it, but it’s not about security,
but rather about social engineering.)
Maybe some standards could be a valid reason.
e. g.
8.2
Employ at least one of these to authenticate all users: password or
passphrase; or two-factor
authentication (e.g., token devices, smart cards, biometrics, public
keys).
Igor and Maxim positions, I suppose, are based on the fact that, unless
using an external system to authenticate the user of a certificate,
storing
both certificate + passphrase on thel same system, accessed by the same
user (the one running nginx which loads the certificate and needs to
decrypt it) has the same level of security that dealing with an
unencrypted
certificate and provide a false sense of securilty.
Isolation of independent parts of a security system is a very basic
notion
of security based on common sense. The standards you quote are based on
those.
On Wed, Apr 23, 2014 at 08:32:57PM +0200, Aleksandar L. wrote:
passphrase’?
Full ack ;-/
I also agree that this is a very hard task.
So the question is: why do you need it?
If you want to get a specific certificate for some standars.
Well, that’s not about security either, and completely
non-technical.
I’ve seen “certifications” requiring to use software with known
remote code execution vulnerabilities, and I’m quite sceptical
about doing something just because of certification requirements,
without understanding the reasons behind them (if any).
Anyway, if you know a standard which requires storing of
keys in password-protected forms only - please point it out.
e. g.
8.2
Employ at least one of these to authenticate all users: password or
passphrase; or two-factor
authentication (e.g., token devices, smart cards, biometrics, public keys).
This doesn’t look related at all. It’s about authentication of
users, not about storage of private keys.
On Wed, Apr 23, 2014 at 08:32:57PM +0200, Aleksandar L. wrote:
Hi.
Am 23-04-2014 18:19, schrieb Maxim D.:
[snipp]
remote code execution vulnerabilities, and I’m quite sceptical
about doing something just because of certification requirements,
without understanding the reasons behind them (if any).
Anyway, if you know a standard which requires storing of
keys in password-protected forms only - please point it out.
