On Wed, 2011-08-03 at 12:21 -0400, Ian Stokes-Rees wrote:
> 
> On Wed Aug  3 10:37:45 2011, Stephen Gallagher wrote:
> > As a general rule, I would think that having your private key stored
> > somewhere that an admin other than yourself can reset the password and
> > have access to would be really dangerous. Most especially if this
> > private key was being used to access sites in other administrative
> > domains.
> > 
> > That really sounds like an accident waiting to happen...
> 
> If you are concerned about that, then don't make use of a centralized 
> keystore.
> 
> You may be a security expert and have a deeper understanding of this 
> than I do, but from my limited experience and knowledge of security 
> audits and risk assessment, if you don't trust your system 
> administrators then you have a whole heap of other issues you need to 
> contend with.
> 
> Consider that the FreeIPA server is probably *more* secure than the 
> user-accessible systems and file servers.  If someone with 
> administrative (root) privs for the part of the system where I store my 
> passphrase encrypted private key would be the kind of person who would 
> take the private key from a central keystore, if it existed, then do 
> you not think they could get my passphrase and/or cleartext private key 
> from the system *without* a central keystore?
> 
> This is not to say there aren't arguments against it: a policy mix up 
> or a bug in the central keystore could lead to *all* users having their 
> private keys compromised, and an admin who can dip in and grab private 
> keys without any evidence would also be bad, but hopefully the "Audit" 
> part of IPA means that any access to private keys will be securely 
> logged, and flagged if they are by users other than the "owner" of the 
> private key.
> 
> This is a topic that is very important to me, so I'm quite interested 
> to hear how my reasoning may be flawed, or to hear opinions from others.

As Adam pointed out, the default assumption is that no one is trusted.
But my main concern is not that the admins have access to your private
keys, but that they have access to your private keys *for an unrelated
domain*.

Even if both domains exist in your organization (e.g. CORP and ENG), you
are implicitly granting the admin of the CORP domain permission to
impersonate you on the ENG domain.

You're also significantly increasing the damage surface of a successful
attack against this domain. It's analogous to using the same password at
many major sites: compromise one and you have the keys to all of the
others.

So I guess what I'm saying is not "Don't use centrally managed key
storage", but rather "If you use the key anywhere but in this
administrative domain, do not put it in centrally-managed storage that
anyone but you can ever gain access to it".

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to