Hi Ives,
It should be mentioned in the documention - if not, we should fix this:
The idea ist the following:
- the key is protected by its pin
(which is given at request time or set by the ca)
- if you download you have to give the key-pin as credential to
get access to the key and for decryption
the problem with this workflow is the following:
- the key-pin is exposed to brute-force attacs on the web
this would be like, putting the key (even encrypted) somewhere
and waiving - hey poeple come and try yourself ;)
You can fix that if your users only submit PKCS#10 requests. Then, the
private key is never exposed on the web. It works well with Firefox and
IE, as far as I tested.
therefore we decided to protect the key-pin with a separate download-pin
which has to be set from the ra-officer
- so a possible mallicous user would first have to 'crack' the
download pin to get any useful information about the
correctness of the key-pin used at the webpage
- in other words, he can't do a simple 'brute-force' attac on
the key-pin, since its guarded by the download-pin
??? Isn't that the same (even worse) than just making the key-pin a bit
longer? If you extend the key-pin by one number, you get 10x the
security of the previous pin-length. If you introduce a "download-pin",
it just adds a constant factor, that is usually smaller than the key-pin
(unless you make it longer than the key pin, but that doesn't seem to
make sense). With a download-pin at the same length as the key pin, you
just get 2x the security instead of 10x by just adding one number to the
key pin.
Greetings,
Georg
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server.
Download it for free - -and be entered to win a 42" plasma tv or your very
own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
