[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Encrypting attributes of my choice

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Susanne
> Benkert

> Hi,

> I wrote Howards message and re-thought the security of my data stored in
>   the ldap tree....
> I'm using SSL/TLS to encrypt all communication with my ldap server. But
> therefor I have to store the key, the certificate and the ca-certificate
> in a well reachable directory. Isn't this quite insecure? I don't
> understand the ssl-stuff completly, so please correct me if I'm wrong.

Security is like an onion, it's made up of layers. (And working through the
layers can make you cry...) SSL/TLS is fine for securing the data as it
travels across the network. What happens to the data at each endpoint of
the connection is a different story, and involves a different security

> Can I do anything to improve the level of security for my data?
> (At the moment the mentioned file have these access rights: -rw-r--r--
> and my slapd.conf which have to contain information about the location
> of these files has: -rw-------, slapd can only be started as root.)

Your key file must *not* be publically readable. Your certificates can be.
Depending on how long your key file has been unprotected like this, you may
find it best to completely generate a new key/certificate pair for that
(Also depending on your level of paranoia. But you've just now announced to
a huge internet community that you have an unprotected secret somewhere on
one of your machines.)

This was really the main point of my message - it takes proper
to ensure security on your computer system. You can't just encrypt some
and expect that to be good enough. There are no security mechanisms in
existence today that can do a good job without competent administration and
oversight to
operate them. It takes human involvement, human judgement and experience.

> With best regards
> Susanne

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support