On Wed, Jul 25, 2012 at 3:40 PM, Ted Byers <r.ted.by...@gmail.com> wrote:
...
> On Wed, Jul 25, 2012 at 4:03 PM, Tom Browder <tom.brow...@gmail.com> wrote:
...
>> I will provide the user passwords for the client certs. to my
>> intermediate helpers via the USPO and the individual client
>> certificates via e-mail. The users have to get their passwords from
>> the helpers via telephone. The passwords are similar to Microsoft
>> client keys but are case sensitive.
>>
> USPO? You mean the postal service inthe US?
Yes, that's my plan. I didn't say so, but I will e-mail the certs. to
my helpers also. So the users have to call their assigned helper for
the certificate to be e-mailed to them and the password to be read to
them.
> Doesn't distribution of certificates via email create a vulnerability? I
> would have expected that using email, a) gives a bad guy a chance to
> steal/copy the certificate, and b) requires the use of yet another server to
> secure.
Well, for my purposes I'm assuming that risk (the data to be protected
is contact data, not financial).
> From what I have been reading, distribution of the keys is always one of the
> biggest headaches in the design of a secure system.
I agree, but I'm trying to do the best I can given my users (and my
own lack of knowledge or a better idea).
> I was thinking of something more like giving your helpers login credentials
> (with cryptographically sercur random user IDs and passwords) that can be
> used only once. They connect over the strongest SSL/TLS connection Apache
> supports, from whatever machine they will be using, so that the certificate
> can be created, signed, and installed over an encrypted channel in
> 'effectively' an instant. Making these things easy and intuitive for the
> end user, without compromising security, is a top criterion for me.
My user client certificates will be protected with long, random
passwords and 2048-bit keys. I keep their private keys which they
don't have access to and which will not be distributed.
> Thanks. Let me know when I can take a look at yor script. I'd also like to
> hear about how you harden your servers.
Roger--I plan to put all that on my blog later. I've been relying
heavily on several books, which I'll mention after I get home to my
bookshelf ("Apache Security" is one of them).
Cheers!
-Tom
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
