Hello Kaushik,
well answering this questions in detail is beyond the scope of this ML.
The OpenXPKI SCEP workflow splits Authentication and Authorization - the
ChallengePasswords provides Authentifcation and even if you pass this,
you wont get a certifcate without an extra Authorization which is in the
Sample Config done by a "Subject Whitelist" or a manual approval by an
operator.
Please have a look a the file ca-one/scep/generic.yaml, espacially the
section "policy" - the options of the workflow are pretty well
documented here.
If you are interessted in our consultancy or setup service, please send
my your contact details by PM.
Oliver
Am 13.08.19 um 08:42 schrieb Kaushik Basu:
Hello Oliver,
Thanks for your quick response.
To be honest, I am bit confused wrt the essence of 'ChallengePassword'.
According to SCEP documentation, it is needed to limit the ability of an
attacker.
But -
1. It is not a mandatory attribute of PKCS #10.
2. The MS NDES default implementation enables OTP for each enrolment. But for
OpenXPKI, the default implementation supports a static password only.
3. SCEP client (using JSCEP) does not provide any default support for getting
the 'ChallengePassword' from SCEP Server using an API.
4. I am new in this, but as I understood, the PCSK #7 envelopdata can be
decrypted by CA's private key only.
All of these, making me confused regarding the importance/significance of
'ChallengePassword'. I'm also confused wrt the scope of the attacker. If my
PCSK #7 envelopdata can be decrypted by CA only, what would be the threat from
an attacker?
I know it is not very specific to OpenXPKI, but need your help to get clarity
and connect dots to understand the big picture.
Thanks for your help again! Looking forward to hear from you...
Thanks,
Kaushik
-----Original Message-----
From: Oliver Welter <[email protected]>
Sent: 10 August 2019 18:16
To: [email protected]
Subject: Re: [OpenXPKI-users] What is the implication of challengepassword?
Hello,
it is possible to attach a dynamic data source to handle per-request passwords using a
"Connector". Have a look at the Perl Class documentation of
OpenXPKI::Server::Workflow::Activity::SCEPv2::EvaluateChallenge
Oliver
Am 10.08.19 um 10:29 schrieb Kaushik Basu:
Hello,
According to SCEP documentation, it is RECOMMENDED that the
challengePassword be a one-time authenticator value to limit the
ability of an attacker.
Does OpenXPKI support one-time password for each cert enrollment? As I
understand the current design is that I can have a single challenge
value for all enrollment request which is by default set to
'SecertChallenge'. Does that mean OpenXPKI is insecure?
Thanks,
Kaushik
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C01
%7Ckaushik.basu%40lexmark.com%7C44ef8b4d16fd4f6b32e908d71d90b119%7C127
090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637010379603732150&sdata=q
31v3a4PvXY4%2BcCCDH3tr8MzqyL8eKXP7a6YsdRgwSQ%3D&reserved=0
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-users&data=02%7C01%7Ckaushik.basu%40lexmark.com%7C44ef8b4d16fd4f6b32e908d71d90b119%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637010379603732150&sdata=q31v3a4PvXY4%2BcCCDH3tr8MzqyL8eKXP7a6YsdRgwSQ%3D&reserved=0
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
