[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing TLS credentials in the directory

To: Michael Ströder <michael@stroeder.com>, OpenLDAP-devel@openldap.org
Subject: Re: Storing TLS credentials in the directory
From: Howard Chu <hyc@symas.com>
Date: Sun, 9 Apr 2017 20:57:29 +0100
In-reply-to: <WM!70ba72d390fb41c20879944e0f93e665f45bf63889cc450c22a3c4912a274ce48f53f6f605107cc117da806211161f6f!@mailstronghold-2.zmailcloud.com>
References: <E1cx31W-0005aD-M5@euler.openldap.org> <WM!4ba83b2090d2bd1da4412c283bf93e9733cc0be005cc6e1eea16569b1a5755a16c137c899e1426c4e700614ef0d86a6e!@mailstronghold-2.zmailcloud.com> <faee960d-3967-2eed-b6ec-d2f8e0b4fdc6@symas.com> <9444E7C8-A0A8-464B-9BAA-B057162CF14F@bayour.com> <BE9CD1C3-B433-453A-92EE-258046EA3796@bayour.com> <WM!72c4bd8a502cb74b06f81b6b79f016b392e96533e633776189e8f3d79378f724d1b0950ee046f711f5b3fe60c82ab046!@mailstronghold-1.zmailcloud.com> <3b82bb6c-d295-586a-97ae-1498b74062bd@symas.com> <7A069EFE-53C6-4EDC-98DC-F2D9F53F2A18@bayour.com> <WM!f39622754a54a322cd4b5d4c797e2b29ba134ab8db60fd17eed0c572861319bf9e5b6654563372ab175acd66972902c7!@mailstronghold-2.zmailcloud.com> <223d2e96-5b9f-c069-9bbc-2e921a15c287@symas.com> <8d6f6358-1488-6bdf-607e-4c24b9ad99a6@stroeder.com> <WM!70ba72d390fb41c20879944e0f93e665f45bf63889cc450c22a3c4912a274ce48f53f6f605107cc117da806211161f6f!@mailstronghold-2.zmailcloud.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2

Michael Ströder wrote:

Howard Chu wrote:

Turbo Fredriksson wrote:

Everything I’ve seen about the subject is so darn _complex_! It shouldn’t HAVE
to be.


Indeed, there's no reason for it.


Hmm, every time in a customer encryption/PKI project the customer requested that it
should be secure *and* easy to use. This is kind of a contradiction to begin with.

Bootstrapping is usually the hardest part. That's the part I've focused onmaking easier.


Also this short discussion already oversimplifys all the possible use-cases and
considerations when talking about storing/using/protecting private keys. Personally I'd
never use such a autoca overlay running on the "normal" directory server.


(Over)simplification is exactly what is needed, most of the time.

So every technical design should start with a decent description of the use-cases or will
blatantly fail. This will lead to reviewing which name spaces have to be put in which
naming extension for which usage and who is authorized to use the keys and issue certs.
Simply starting with schema for private key storage is putting the cart before the horse.

You cannot write a decent design from scratch. It's important to have abaseline of functionality to get an idea of scope. The current overlayprovides that baseline.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Storing TLS credentials in the directory
  - From: Gavin Henry <ghenry@suretec.co.uk>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>

References:
- Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Storing TLS credentials in the directory
Next by Date: Re: Storing TLS credentials in the directory
Index(es):
- Chronological
- Thread