Georg Lippold schrieb:
Hi Ives,
It should be mentioned in the documention - if not, we should fix this:
The idea ist the following:
- the key is protected by its pin
(which is given at request time or set by the ca)
- if you download you have to give the key-pin as credential to
get access to the key and for decryption
the problem with this workflow is the following:
- the key-pin is exposed to brute-force attacs on the web
this would be like, putting the key (even encrypted) somewhere
and waiving - hey poeple come and try yourself ;)
You can fix that if your users only submit PKCS#10 requests. Then, the
private key is never exposed on the web. It works well with Firefox
and IE, as far as I tested.
There are application where you like to generate the key on the server ;),
This pins are only necessary in this case anyway, since the certificate
can always be recieved without any passwords...
and if there is no key at the ca-infrastructure you also don't need to
download pkcs#12 files which are protected by passwords... since there
is no private data around to protect
??? Isn't that the same (even worse) than just making the key-pin a
bit longer? If you extend the key-pin by one number, you get 10x the
security of the previous pin-length. If you introduce a
"download-pin", it just adds a constant factor, that is usually
smaller than the key-pin (unless you make it longer than the key pin,
but that doesn't seem to make sense). With a download-pin at the same
length as the key pin, you just get 2x the security instead of 10x by
just adding one number to the key pin.
This is at least the reason to have a separate download pin
Greetings
Dalini
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server.
Download it for free - -and be entered to win a 42" plasma tv or your very
own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
