[OpenCA-Devel] Eeeks! Private keys downloadable from public interface

Wed, 04 Feb 2009 14:20:39 -0800 

Sorry to bump this old posting but we are getting close to production
and this is a serious issue.  I've been able to fix and submit patches
for some of the other issues we found but this one is WAY beyond me.
Thanks - John

In OpenCA 0.9.3, keys could only be downloaded from the public interface
if the downloader knew both the key's password and a separate download
password.  Thus, I was absolutely shocked when I found users could
download private keys from the public interface in 1.0.2 simply by
knowing the private key password.

We happen to make heavy use of server side generated keys so this seems
like a dramatic weakening of security.  May I ask why it was done? Is
there a way to revert to the old behavior?

We tried setting an enrollment password on the key from the RA but this
did not change anything.  In the past, we simply did not set a download
password and users could not download keys from the public interface
(this was our design choice).

Thus we are left rather embarrassed in front of our clients with this
dramatically weakened security.  We'd love to see it revert to the
former behavior piu presto possible.  Please let me know if there is
anything I can do to help.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation

Street Preacher: Are you SAVED?????!!!!!!
Educated Skeptic: Saved from WHAT?????!!!!!!
Educated Believer: From our selfishness that hurts the ones we love
                   and condemns us to an eternity of hurting each other.
http://www.spiritualoutreach.com
Christianity that makes sense


------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to