[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Encrypting attributes of my choice

To: "Susanne Benkert" <benkerts@emt.iis.fhg.de>, <openldap-software@OpenLDAP.org>
Subject: RE: Encrypting attributes of my choice
From: "Howard Chu" <hyc@highlandsun.com>
Date: Fri, 8 Feb 2002 01:22:56 -0800
Importance: Normal
In-reply-to: <3C639285.9070409@emt.iis.fhg.de>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Susanne
> Benkert

> Hi,

Hello
>
> I wrote Howards message and re-thought the security of my data stored in
>   the ldap tree....
...
> I'm using SSL/TLS to encrypt all communication with my ldap server. But
> therefor I have to store the key, the certificate and the ca-certificate
> in a well reachable directory. Isn't this quite insecure? I don't
> understand the ssl-stuff completly, so please correct me if I'm wrong.

Security is like an onion, it's made up of layers. (And working through the
layers can make you cry...) SSL/TLS is fine for securing the data as it
travels across the network. What happens to the data at each endpoint of
the connection is a different story, and involves a different security
layer.

> Can I do anything to improve the level of security for my data?
> (At the moment the mentioned file have these access rights: -rw-r--r--
> and my slapd.conf which have to contain information about the location
> of these files has: -rw-------, slapd can only be started as root.)

Your key file must *not* be publically readable. Your certificates can be.
Depending on how long your key file has been unprotected like this, you may
find it best to completely generate a new key/certificate pair for that
system.
(Also depending on your level of paranoia. But you've just now announced to
a huge internet community that you have an unprotected secret somewhere on
one of your machines.)

This was really the main point of my message - it takes proper
administration
to ensure security on your computer system. You can't just encrypt some
things
and expect that to be good enough. There are no security mechanisms in
existence today that can do a good job without competent administration and
oversight to
operate them. It takes human involvement, human judgement and experience.

> With best regards
> Susanne
>

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Re: Encrypting attributes of my choice
  - From: Susanne Benkert <benkerts@emt.iis.fhg.de>

Prev by Date: Subordinate Knowledge Information
Next by Date: Re: Specifying write access for more then one user?
Index(es):
- Chronological
- Thread