Old topic ssl private key with passphrase
Aleksandar Lazic
al-nginx at none.at
Wed Apr 23 18:32:57 UTC 2014
Hi.
Am 23-04-2014 18:19, schrieb Maxim Dounin:
> Hello!
>
> On Wed, Apr 23, 2014 at 05:34:10PM +0200, Aleksandar Lazic wrote:
>
>> Dear nginx developers.
>>
>> What is necessary that you take hands on the topic 'private key
>> passphrase'?
[snipp]
> Igor explained his position on this more than once: unless you are
> actually using something external to enter key passwords, there is no
> difference with unencrypted keys from security point of view
> (assuming proper access rights are used for keys). And as far as
> we know, no or almost no users of Apache's SSLPassPhraseDialog use
> it this way, most just use "echo 'password'" or something like.
Full ack ;-/
I also agree that this is a very hard task.
> So the question is: why do you need it?
If you want to get a specific certificate for some standars.
> (I'm aware of at least one more or less valid answer which almost
> convinced me that we should add it, but it's not about security,
> but rather about social engineering.)
Maybe some standards could be a valid reason.
https://en.wikipedia.org/wiki/PCI_DSS
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
e. g.
####
8.2
Employ at least one of these to authenticate all users: password or
passphrase; or two-factor
authentication (e.g., token devices, smart cards, biometrics, public
keys).
####
BR
Aleks
More information about the nginx
mailing list