Hi Jan, Am 25.02.2017 um 20:16 schrieb Jan Schermer:
Shared Database: If you can accept a shared database, you can modifiy the default csr workflows so the RA side stops when it comes to signing and a scheduler on the CA side takes over.So in theory - can I simply install OpenXPKI on one internal and one public machine with shared database and leave the CA keys and passwords only on the internal one? Admins will only access the internal one, users will only access the public one, so this should just work...?
CA Keys in OpenXPKI are PEM files in the file system, they never go to the database therefore there is no risk in this scenario.
What steps can I take to limit the access of the public instance to secrets in this scenario? I'm thinking about ca-generated private keys in particular (not sure what else is there to protect). I don't know yet whether I want those downloadable from the public instance at all.
I dont get this - if your users upload CSRs, you wont have user keys in the system at all and if you generate keys on the CA, you must bring them to the users.
If an attacker gains complete access to the public instance, what can he do? Looks to me he'll be able to access all the ca-generated private keys and then it comes to how good password was used when creating the request. Is that it? I haven't fully understood what "datasafe" protects, just that it uses both asymmetric and symmetric key (it probably isn't easily possible to only encrypt on the public instance and decrypt on the internal one?) I don't know what leaving that on the public instance would mean.
The datasafe token is used to encrypt data written to the "datapool" table - its the classic "sandwich" with asymmetric encryption, we generate a symmetric key to encrypt the payload and encrypt the key with the asymetric token. If you keep the datasafe key only on the CA box, you can encrypt data from RA to CA but not decrypt it on RA.
Am I on the right track here? :)
Looks like ,)
And I must say that so far everything I tried "just worked" which is pretty amazing, Thanks
Your welcome! Oliver -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
