In OpenCA 0.9.3, keys could only be downloaded from the public interface
if the downloader knew both the key's password and a separate download
password. Thus, I was absolutely shocked when I found users could
download private keys from the public interface in 1.0.2 simply by
knowing the private key password.
We happen to make heavy use of server side generated keys so this seems
like a dramatic weakening of security. May I ask why it was done? Is
there a way to revert to the old behavior?
We tried setting an enrollment password on the key from the RA but this
did not change anything. In the past, we simply did not set a download
password and users could not download keys from the public interface
(this was our design choice).
Thus we are left rather embarrassed in front of our clients with this
dramatically weakened security. We'd love to see it revert to the
former behavior piu presto possible. Please let me know if there is
anything I can do to help. Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
Street Preacher: Are you SAVED?????!!!!!!
Educated Skeptic: Saved from WHAT?????!!!!!!
Educated Believer: From our selfishness that hurts the ones we love
and condemns us to an eternity of hurting each other.
http://www.spiritualoutreach.com
Christianity that makes sense
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel
