Howard Chu wrote: > It's clear that nobody in the standards organizations considers storing > private keys in > the directory to be a safe thing to do. IMO this is just a matter of password > security > and good ACLs, and the standards should not preclude the option. It is no > worse than > storing userPassword.
Comparing CA keys with "storing userPassword" is too fuzzy: 1. Because I'm eagerly trying to avoid super-mighty (proxy) roles a single compromised password hopefully does not have such a broad security impact like a stolen CA private key. And there's added 2FA to the mix for high security systems. 2. In my deployments I never store clear-text passwords in 'userPassword'. I store reversible encrypted shared secret with OATH-LDAP but they can only be decrypted by a process outside slapd. So if you plan to store private keys of CAs in DIT without extra encryption solely relying on slapd's ACLs then IMO you have a pretty broad attack surface and I'd never recommend to anyone to use that. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
