On February 22, 2019 5:03:43 AM CST, Ruediger Pluem <rpl...@apache.org> wrote:
>On 02/21/2019 12:46 AM, Daniel Ruggeri wrote:
>> Hi, all;
>> I was approached to see if I would be interested/willing to work on
>code to support encrypted client keys for the proxy.
>You mean encrypted private keys for SSL client authentication?
>You might remember that discussion from 2013 then where you took part:
Yes, indeed. That thread is in a similar neighborhood... but is more focused on
the idea of removing the functionality. It feels like ages ago we discussed
that. I had all but forgotten about that thread!
My own opinion on the topic is mostly unchanged:
I agree with Joe's assertion that sometimes folks are bound to "the checklist".
Whether that be from an auditor, security policy or some other form of edict
passed upon the server admin team, it's their job to comply. At least in the
large enterprises I've sampled, the response is usually: "Don't care. The
policy says <foo>. Fix it." It'd be a shame if we cannot serve those poor
server admins... they already have the cards stacked against them anyway. In
the meantime since that thread, it also seems "that other web server" has added
support for encrypted keys with passphrase coming from a file.
I don't intend to spark the debate again with this reply. We CAN do that in
another thread as I don't think we found consensus across the project and/or
there's not enough interest to change current inertia. After all... the doers
will do :-) I'm just hoping the above adds context to why I personally would
like to see the capability.