Old topic ssl private key with passphrase

Aleksandar Lazic al-nginx at none.at
Wed Apr 23 18:32:57 UTC 2014


Hi.

Am 23-04-2014 18:19, schrieb Maxim Dounin:
> Hello!
> 
> On Wed, Apr 23, 2014 at 05:34:10PM +0200, Aleksandar Lazic wrote:
> 
>> Dear nginx developers.
>> 
>> What is necessary that you take hands on the topic 'private key 
>> passphrase'?

[snipp]

> Igor explained his position on this more than once: unless you are
> actually using something external to enter key passwords, there is no
> difference with unencrypted keys from security point of view
> (assuming proper access rights are used for keys).  And as far as
> we know, no or almost no users of Apache's SSLPassPhraseDialog use
> it this way, most just use "echo 'password'" or something like.

Full ack ;-/

I also agree that this is a very hard task.

> So the question is: why do you need it?

If you want to get a specific certificate for some standars.

> (I'm aware of at least one more or less valid answer which almost
> convinced me that we should add it, but it's not about security,
> but rather about social engineering.)

Maybe some standards could be a valid reason.

https://en.wikipedia.org/wiki/PCI_DSS

https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

e. g.

####
8.2
Employ at least one of these to authenticate all users: password or 
passphrase; or two-factor
authentication (e.g., token devices, smart cards, biometrics, public 
keys).
####

BR
Aleks



More information about the nginx mailing list