need input: Providing m_a_o with OpenPGP Passphrase

Ideas? Patches that are features or fix bugs? Documentation? HOWTOs? Anything you want to contribute, right here!

need input: Providing m_a_o with OpenPGP Passphrase

Notapor buanzo el Mar May 22, 2007 6:19 pm

I'm in the process of adding response signing to mod_auth_openpgp, and the obvious issue here is that I need to pass gpgme the secret passphrase to unlock the private key.

It's the classic SSL passphrase issue all admins work around by using a passwordless certificate, so I really am looking forward for some community feedback here.

What are your ideas for this?
Avatarde Usuario
buanzo
Administrador
 
Posts: 673
Registrado: Sab Dic 09, 2006 11:17 am
Ubicación: Buanzonia (ok, Florida, Buenos Aires)

need input: Providing m_a_o with OpenPGP Passphrase

Sponsor

Sponsor
 

Re: need input: Providing m_a_o with OpenPGP Passphrase

Notapor legion el Mar May 22, 2007 8:22 pm

What are you really going to achieve? Password for pkey must be stored in cleartext, otherwise you won't decrypt it. So it really doesn't matter if you store pkey in cleartext or ciphered but with accesible key. I'm sorry but this dog is chasing its own tail...
legion
 
Posts: 2
Registrado: Mar May 22, 2007 8:19 pm

Re: need input: Providing m_a_o with OpenPGP Passphrase

Notapor buanzo el Mar May 22, 2007 11:48 pm

Yes, of course it has to be stored in cleartext Smile

Where to store it is, how to retrieve it, etc. General ideas:

As a parameter to a new command inside the VirtualHost? In a .htaccess? Some other external file? Setting it via a new Handler, over HTTPS?
Avatarde Usuario
buanzo
Administrador
 
Posts: 673
Registrado: Sab Dic 09, 2006 11:17 am
Ubicación: Buanzonia (ok, Florida, Buenos Aires)

Re: need input: Providing m_a_o with OpenPGP Passphrase

Notapor legion el Mie May 23, 2007 2:04 pm

from security point of view it completly doesn't matter - key or passphrase must be stored somewhere in cleartext (in httpd.conf, somewhere on the disk, on the other machine). every solution is equal secure. unless you type it by hand...
legion
 
Posts: 2
Registrado: Mar May 22, 2007 8:19 pm

Re: need input: Providing m_a_o with OpenPGP Passphrase

Notapor buanzo el Mie May 23, 2007 2:04 pm

Benn, from Columbia University, told me via eMail:

For our https servers, we wrote a script compatible with the SSLPassPhraseDialog of Apache 2 that retrieves the passphrase from a central repository. This doesn't really increase the security of the passphrase or the cert, but it makes the retrievals somewhat auditable.

My reply was:
Thanks for the input, interesting comment! I'm planning on making mod_auth_openpgp as flexible in this aspect as possible, so it can fit many different scenarios/needs.
Avatarde Usuario
buanzo
Administrador
 
Posts: 673
Registrado: Sab Dic 09, 2006 11:17 am
Ubicación: Buanzonia (ok, Florida, Buenos Aires)

Re: need input: Providing m_a_o with OpenPGP Passphrase

Notapor buanzo el Mie May 23, 2007 7:01 pm

legion escribió:from security point of view it completly doesn't matter - key or passphrase must be stored somewhere in cleartext (in httpd.conf, somewhere on the disk, on the other machine). every solution is equal secure. unless you type it by hand...


Yes, that's what I've come to realize. I don't have to find the most secure method, but avoid the insecure ones. My goal, then, is to provide flexibility. What do you think of that?
Avatarde Usuario
buanzo
Administrador
 
Posts: 673
Registrado: Sab Dic 09, 2006 11:17 am
Ubicación: Buanzonia (ok, Florida, Buenos Aires)

Re: need input: Providing m_a_o with OpenPGP Passphrase

Notapor lace el Jue May 24, 2007 7:54 pm

Someone can prefer adding passphrase only personally during the booting of system or start/restart of apache.
There can be situations when stopped apache is more appropriate than passphrase stored on the disk.
Yea and m_a_o could support OpenPGP card.
lace
 
Posts: 12
Registrado: Lun May 14, 2007 7:00 pm

Re: need input: Providing m_a_o with OpenPGP Passphrase

Notapor buanzo el Jue May 24, 2007 8:12 pm

lace escribió:Someone can prefer adding passphrase only personally during the booting of system or start/restart of apache. There can be situations when stopped apache is more appropriate than passphrase stored on the disk.


True, true!

lace escribió:Yea and m_a_o could support OpenPGP card.


If you want to discuss this, I'd request that we do it on a different thread.
Avatarde Usuario
buanzo
Administrador
 
Posts: 673
Registrado: Sab Dic 09, 2006 11:17 am
Ubicación: Buanzonia (ok, Florida, Buenos Aires)

Re: need input: Providing m_a_o with OpenPGP Passphrase

Notapor dkg el Sab Jun 02, 2007 10:25 pm

lace escribió:There can be situations when stopped apache is more appropriate than passphrase stored on the disk.

This is definitely one reasonable situation, though it's probably not the most common situation.

Users who have this need are probably already using the interface provided by mod_ssl's SSLPassPhraseDialog, as another poster suggested. If you want wider adoption of mod_auth_openpgp, it's probably best to make a parallel interface.

BTW, have you considered renaming mod_auth_openpgp to mod_authn_openpgp, in keeping with the growing apache separation between authentication and authorization?

PS i haven't tried m_a_o yet, but i'm very interested in its potential. Thanks for your work on it!
Avatarde Usuario
dkg
 
Posts: 3
Registrado: Sab Jun 02, 2007 9:22 pm

Re: need input: Providing m_a_o with OpenPGP Passphrase

Notapor buanzo el Mar Jun 05, 2007 12:58 pm

dkg escribió:Users who have this need are probably already using the interface provided by mod_ssl's SSLPassPhraseDialog, as another poster suggested. If you want wider adoption of mod_auth_openpgp, it's probably best to make a parallel interface.

Yes, that's exactly what I'm going to do. Thanks for the extra pushing! Smile

dkg escribió:BTW, have you considered renaming mod_auth_openpgp to mod_authn_openpgp, in keeping with the growing apache separation between authentication and authorization?

I'm concerned about that. I'll probably rename it once mao gets to 1.0.0. I named it _auth because that's how I originally planned it, but once at 0.2.0 I realized the mistake. Smile

dkg escribió:PS i haven't tried m_a_o yet, but i'm very interested in its potential. Thanks for your work on it!

Hey, thanks! I'm currently working on the ImportKey handler, and some extra functionality that will allow Enigform (and other software, of course) to detect OpenPGP-enabled web servers, and act accordingly. For example, Firefox may provide a window where the user can decide if he wants to sign outgoing requests Always/Never/Ask_me and which key to use, etc...
Avatarde Usuario
buanzo
Administrador
 
Posts: 673
Registrado: Sab Dic 09, 2006 11:17 am
Ubicación: Buanzonia (ok, Florida, Buenos Aires)


Volver a Development

¿Quién está conectado...?

Usuarios navegando este Foro: No hay usuarios registrados visitando el Foro y 1 invitado

cron