[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing TLS credentials in the directory

Howard Chu wrote:
> It's clear that nobody in the standards organizations considers storing private keys in
> the directory to be a safe thing to do. IMO this is just a matter of password security
> and good ACLs, and the standards should not preclude the option. It is no worse than
> storing userPassword.

Comparing CA keys with "storing userPassword" is too fuzzy:

1. Because I'm eagerly trying to avoid super-mighty (proxy) roles a single compromised
password hopefully does not have such a broad security impact like a stolen CA private
key. And there's added 2FA to the mix for high security systems.

2. In my deployments I never store clear-text passwords in 'userPassword'. I store
reversible encrypted shared secret with OATH-LDAP but they can only be decrypted by a
process outside slapd.

So if you plan to store private keys of CAs in DIT without extra encryption solely
relying on slapd's ACLs then IMO you have a pretty broad attack surface and I'd never
recommend to anyone to use that.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature