On Wed, 2009-02-04 at 17:19 -0500, John A. Sullivan III wrote: > Sorry to bump this old posting but we are getting close to production > and this is a serious issue. I've been able to fix and submit patches > for some of the other issues we found but this one is WAY beyond me. > Thanks - John > > In OpenCA 0.9.3, keys could only be downloaded from the public interface > if the downloader knew both the key's password and a separate download > password. Thus, I was absolutely shocked when I found users could > download private keys from the public interface in 1.0.2 simply by > knowing the private key password. > > We happen to make heavy use of server side generated keys so this seems > like a dramatic weakening of security. May I ask why it was done? Is > there a way to revert to the old behavior? > > We tried setting an enrollment password on the key from the RA but this > did not change anything. In the past, we simply did not set a download > password and users could not download keys from the public interface > (this was our design choice). > > Thus we are left rather embarrassed in front of our clients with this > dramatically weakened security. We'd love to see it revert to the > former behavior piu presto possible. Please let me know if there is > anything I can do to help. Thanks - John
Sorry for another bump but this is a big issue for us. Has anyone had a chance to look at this? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ OpenCA-Devel mailing list OpenCA-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-devel
