On Wed, Apr 26, 2000 at 02:46:19PM -0500, Leland V. Lammert wrote:
> At 12:53 PM 4/26/00, you wrote:
>
> >Of course, nothing is as secure as a human being typing the passphrase in
> >at startup, but we've established that that is too much like hard work :).
>
> Sorry, .. but you missed the point. If you are rebooting a server:
>
> 1) In many cases the person doing the rebooting does not have root access, ..
> much less knowledge OF the pass phrase!
>
> 2) In many other cases, the reboot is done remotely.
>
> 3) In both cases above, the server would HANG on reboot awaiting a
> passphrase.
>
> 3) In 95% of the other cases, nobody is going to the trouble to write a C
> program just to enter the passphrase.
>
> 4) A passphrase on a server doesn't really matter anyway, .. since if the
> machine is setup correctly only the SysAdmin has access to the directory with
> the key.
>
> In reality, passphrases are only applicable on user-level machines.
What you're essentially saying is that keying in the passphrase is too
much trouble.
That all depends on how important it is to you that the private key remains
uncompromised.
Points 1-3a are hurdles, and they're all part of what makes security
expensive and troublesome. They're hurdles that can be jumped though; there
are plentiful secure ways to remotely admin a machine; if you care enough
about the passphrase not being compromised, pay two people to be on
reboot duty 24/7. That level of security costs money. You might not value
the data highly enough to warrant such paranoia, but the option is there.
Point 3b: That "trouble" might be necessary. It's less trouble than (say)
the authors of OpenSSL went to in writing the thing in the first place.
Point 4 scares the bejesus out of me. "If the machine is set up correctly" is
a MAJOR assumption. However carefully you lock a machine down, there's a
possibility, however small, that there's a way in. Every program, every
OS, has exploits discovered every day. If a cracker gets onto your server,
they may get hold of some valuable data -- then when you detect them, they'll
stop -- but if they get your private key they can continue gathering
private data undetected for as long as you continue using that key pair
(beyond the lifetime of your certificate, in all likelihood).
That private key is the single most valuable piece of data on the server.
It is a single point of failure in your security scheme. For every application,
a different value can be placed on it; that value will influence how much
inconvenience your organisation is prepared to go through in order to
protect it.
--
-------------------------------------------------------------------------------
"(The Mk 2 only reached prototype stage
and was abandoned due to a design fault in the hull)"
-------------------------------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
