On Wed, Jul 25, 2012 at 3:40 PM, Ted Byers <r.ted.by...@gmail.com> wrote: ... > On Wed, Jul 25, 2012 at 4:03 PM, Tom Browder <tom.brow...@gmail.com> wrote: ... >> I will provide the user passwords for the client certs. to my >> intermediate helpers via the USPO and the individual client >> certificates via e-mail. The users have to get their passwords from >> the helpers via telephone. The passwords are similar to Microsoft >> client keys but are case sensitive. >> > USPO? You mean the postal service inthe US?
Yes, that's my plan. I didn't say so, but I will e-mail the certs. to my helpers also. So the users have to call their assigned helper for the certificate to be e-mailed to them and the password to be read to them. > Doesn't distribution of certificates via email create a vulnerability? I > would have expected that using email, a) gives a bad guy a chance to > steal/copy the certificate, and b) requires the use of yet another server to > secure. Well, for my purposes I'm assuming that risk (the data to be protected is contact data, not financial). > From what I have been reading, distribution of the keys is always one of the > biggest headaches in the design of a secure system. I agree, but I'm trying to do the best I can given my users (and my own lack of knowledge or a better idea). > I was thinking of something more like giving your helpers login credentials > (with cryptographically sercur random user IDs and passwords) that can be > used only once. They connect over the strongest SSL/TLS connection Apache > supports, from whatever machine they will be using, so that the certificate > can be created, signed, and installed over an encrypted channel in > 'effectively' an instant. Making these things easy and intuitive for the > end user, without compromising security, is a top criterion for me. My user client certificates will be protected with long, random passwords and 2048-bit keys. I keep their private keys which they don't have access to and which will not be distributed. > Thanks. Let me know when I can take a look at yor script. I'd also like to > hear about how you harden your servers. Roger--I plan to put all that on my blog later. I've been relying heavily on several books, which I'll mention after I get home to my bookshelf ("Apache Security" is one of them). Cheers! -Tom ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org