Old topic ssl private key with passphrase
al-nginx at none.at
Wed Apr 23 18:32:57 UTC 2014
Am 23-04-2014 18:19, schrieb Maxim Dounin:
> On Wed, Apr 23, 2014 at 05:34:10PM +0200, Aleksandar Lazic wrote:
>> Dear nginx developers.
>> What is necessary that you take hands on the topic 'private key
> Igor explained his position on this more than once: unless you are
> actually using something external to enter key passwords, there is no
> difference with unencrypted keys from security point of view
> (assuming proper access rights are used for keys). And as far as
> we know, no or almost no users of Apache's SSLPassPhraseDialog use
> it this way, most just use "echo 'password'" or something like.
Full ack ;-/
I also agree that this is a very hard task.
> So the question is: why do you need it?
If you want to get a specific certificate for some standars.
> (I'm aware of at least one more or less valid answer which almost
> convinced me that we should add it, but it's not about security,
> but rather about social engineering.)
Maybe some standards could be a valid reason.
Employ at least one of these to authenticate all users: password or
passphrase; or two-factor
authentication (e.g., token devices, smart cards, biometrics, public
More information about the nginx