On February 22, 2019 5:03:43 AM CST, Ruediger Pluem <rpl...@apache.org> wrote:
>On 02/21/2019 12:46 AM, Daniel Ruggeri wrote:
>> Hi, all;
>> I was approached to see if I would be interested/willing to work on
>code to support encrypted client keys for the proxy.
>You mean encrypted private keys for SSL client authentication?
>You might remember that discussion from 2013 then where you took part:

Yes, indeed. That thread is in a similar neighborhood... but is more focused on 
the idea of removing the functionality. It feels like ages ago we discussed 
that. I had all but forgotten about that thread!

My own opinion on the topic is mostly unchanged:
I agree with Joe's assertion that sometimes folks are bound to "the checklist". 
Whether that be from an auditor, security policy or some other form of edict 
passed upon the server admin team, it's their job to comply. At least in the 
large enterprises I've sampled, the response is usually: "Don't care. The 
policy says <foo>. Fix it." It'd be a shame if we cannot serve those poor 
server admins... they already have the cards stacked against them anyway. In 
the meantime since that thread, it also seems "that other web server" has added 
support for encrypted keys with passphrase coming from a file.

I don't intend to spark the debate again with this reply. We CAN do that in 
another thread as I don't think we found consensus across the project and/or 
there's not enough interest to change current inertia. After all... the doers 
will do :-) I'm just hoping the above adds context to why I personally would 
like to see the capability.


Reply via email to