[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing TLS credentials in the directory

To: OpenLDAP-devel@openldap.org
Subject: Re: Storing TLS credentials in the directory
From: Turbo Fredriksson <turbo@bayour.com>
Date: Sun, 9 Apr 2017 10:21:04 +0100
Authorized-sender: turbo@bayour.com
In-reply-to: <9444E7C8-A0A8-464B-9BAA-B057162CF14F@bayour.com>
References: <E1cx31W-0005aD-M5@euler.openldap.org> <WM!4ba83b2090d2bd1da4412c283bf93e9733cc0be005cc6e1eea16569b1a5755a16c137c899e1426c4e700614ef0d86a6e!@mailstronghold-2.zmailcloud.com> <faee960d-3967-2eed-b6ec-d2f8e0b4fdc6@symas.com> <9444E7C8-A0A8-464B-9BAA-B057162CF14F@bayour.com>

On 9 Apr 2017, at 04:06, Howard Chu <hyc@symas.com> wrote:

> It's clear that nobody in the standards organizations considers storing private keys in the directory to be a safe thing to do. IMO this is just a matter of password security and good ACLs, and the standards should not preclude the option. It is no worse than storing userPassword.

I agree (fwiw).


It needs to be stored SOMEWHERE. Usually it’s in/on the filesystem. And the only two (?)
things that protect it there is:

   1) The access permissions on the file. I.e., “ACLs".
   2) No/limited users allowed on the system. I.e., "password security" (?)

So using “ACLs" and "password security" on the filesystem or in the directory, shouldn’t be
that different.

Only difference might be that the local FS isn’t available _outside_ the host, a directory
is.

References:
- Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Storing TLS credentials in the directory
Next by Date: Re: Storing TLS credentials in the directory
Index(es):
- Chronological
- Thread