Old topic ssl private key with passphrase

Maxim Dounin mdounin at mdounin.ru
Thu Apr 24 08:54:56 UTC 2014


Hello!

On Wed, Apr 23, 2014 at 08:32:57PM +0200, Aleksandar Lazic wrote:

> Hi.
> 
> Am 23-04-2014 18:19, schrieb Maxim Dounin:
> >Hello!
> >
> >On Wed, Apr 23, 2014 at 05:34:10PM +0200, Aleksandar Lazic wrote:
> >
> >>Dear nginx developers.
> >>
> >>What is necessary that you take hands on the topic 'private key
> >>passphrase'?
> 
> [snipp]
> 
> >Igor explained his position on this more than once: unless you are
> >actually using something external to enter key passwords, there is no
> >difference with unencrypted keys from security point of view
> >(assuming proper access rights are used for keys).  And as far as
> >we know, no or almost no users of Apache's SSLPassPhraseDialog use
> >it this way, most just use "echo 'password'" or something like.
> 
> Full ack ;-/
> 
> I also agree that this is a very hard task.
> 
> >So the question is: why do you need it?
> 
> If you want to get a specific certificate for some standars.

Well, that's not about security either, and completely 
non-technical.

I've seen "certifications" requiring to use software with known 
remote code execution vulnerabilities, and I'm quite sceptical 
about doing something just because of certification requirements, 
without understanding the reasons behind them (if any).

Anyway, if you know a standard which requires storing of 
keys in password-protected forms only - please point it out.

> >(I'm aware of at least one more or less valid answer which almost
> >convinced me that we should add it, but it's not about security,
> >but rather about social engineering.)
> 
> Maybe some standards could be a valid reason.
> 
> https://en.wikipedia.org/wiki/PCI_DSS
> 
> https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
> 
> e. g.
> 
> ####
> 8.2
> Employ at least one of these to authenticate all users: password or
> passphrase; or two-factor
> authentication (e.g., token devices, smart cards, biometrics, public keys).
> ####

This doesn't look related at all.  It's about authentication of 
users, not about storage of private keys.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list