Hello Oliver,
Thanks for your quick response. To be honest, I am bit confused wrt the essence of 'ChallengePassword'. According to SCEP documentation, it is needed to limit the ability of an attacker. But - 1. It is not a mandatory attribute of PKCS #10. 2. The MS NDES default implementation enables OTP for each enrolment. But for OpenXPKI, the default implementation supports a static password only. 3. SCEP client (using JSCEP) does not provide any default support for getting the 'ChallengePassword' from SCEP Server using an API. 4. I am new in this, but as I understood, the PCSK #7 envelopdata can be decrypted by CA's private key only. All of these, making me confused regarding the importance/significance of 'ChallengePassword'. I'm also confused wrt the scope of the attacker. If my PCSK #7 envelopdata can be decrypted by CA only, what would be the threat from an attacker? I know it is not very specific to OpenXPKI, but need your help to get clarity and connect dots to understand the big picture. Thanks for your help again! Looking forward to hear from you... Thanks, Kaushik -----Original Message----- From: Oliver Welter <[email protected]> Sent: 10 August 2019 18:16 To: [email protected] Subject: Re: [OpenXPKI-users] What is the implication of challengepassword? Hello, it is possible to attach a dynamic data source to handle per-request passwords using a "Connector". Have a look at the Perl Class documentation of OpenXPKI::Server::Workflow::Activity::SCEPv2::EvaluateChallenge Oliver Am 10.08.19 um 10:29 schrieb Kaushik Basu: > > Hello, > > > According to SCEP documentation, it is RECOMMENDED that the > challengePassword be a one-time authenticator value to limit the > ability of an attacker. > > Does OpenXPKI support one-time password for each cert enrollment? As I > understand the current design is that I can have a single challenge > value for all enrollment request which is by default set to > 'SecertChallenge'. Does that mean OpenXPKI is insecure? > > > > Thanks, > Kaushik > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist > s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C01 > %7Ckaushik.basu%40lexmark.com%7C44ef8b4d16fd4f6b32e908d71d90b119%7C127 > 090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637010379603732150&sdata=q > 31v3a4PvXY4%2BcCCDH3tr8MzqyL8eKXP7a6YsdRgwSQ%3D&reserved=0 > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C01%7Ckaushik.basu%40lexmark.com%7C44ef8b4d16fd4f6b32e908d71d90b119%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637010379603732150&sdata=q31v3a4PvXY4%2BcCCDH3tr8MzqyL8eKXP7a6YsdRgwSQ%3D&reserved=0 _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
