Foros GNU/Buanzo

[buanzo]

I'm in the process of adding response signing to mod_auth_openpgp, and the obvious issue here is that I need to pass gpgme the secret passphrase to unlock the private key.

It's the classic SSL passphrase issue all admins work around by using a passwordless certificate, so I really am looking forward for some community feedback here.

What are your ideas for this?

[legion]

What are you really going to achieve? Password for pkey must be stored in cleartext, otherwise you won't decrypt it. So it really doesn't matter if you store pkey in cleartext or ciphered but with accesible key. I'm sorry but this dog is chasing its own tail...

[buanzo]

Yes, of course it has to be stored in cleartext

Where to store it is, how to retrieve it, etc. General ideas:

As a parameter to a new command inside the VirtualHost? In a .htaccess? Some other external file? Setting it via a new Handler, over HTTPS?

[legion]

from security point of view it completly doesn't matter - key or passphrase must be stored somewhere in cleartext (in httpd.conf, somewhere on the disk, on the other machine). every solution is equal secure. unless you type it by hand...

[buanzo]

Benn, from Columbia University, told me via eMail:

For our https servers, we wrote a script compatible with the SSLPassPhraseDialog of Apache 2 that retrieves the passphrase from a central repository. This doesn't really increase the security of the passphrase or the cert, but it makes the retrievals somewhat auditable.

My reply was:

Thanks for the input, interesting comment! I'm planning on making mod_auth_openpgp as flexible in this aspect as possible, so it can fit many different scenarios/needs.

[buanzo]

from security point of view it completly doesn't matter - key or passphrase must be stored somewhere in cleartext (in httpd.conf, somewhere on the disk, on the other machine). every solution is equal secure. unless you type it by hand...

Yes, that's what I've come to realize. I don't have to find the most secure method, but avoid the insecure ones. My goal, then, is to provide flexibility. What do you think of that?

[lace]

Someone can prefer adding passphrase only personally during the booting of system or start/restart of apache.
There can be situations when stopped apache is more appropriate than passphrase stored on the disk.
Yea and m_a_o could support OpenPGP card.

[buanzo]

Someone can prefer adding passphrase only personally during the booting of system or start/restart of apache. There can be situations when stopped apache is more appropriate than passphrase stored on the disk.

True, true!

Yea and m_a_o could support OpenPGP card.

If you want to discuss this, I'd request that we do it on a different thread.

[dkg]

There can be situations when stopped apache is more appropriate than passphrase stored on the disk.

This is definitely one reasonable situation, though it's probably not the most common situation.

Users who have this need are probably already using the interface provided by mod_ssl's SSLPassPhraseDialog, as another poster suggested. If you want wider adoption of mod_auth_openpgp, it's probably best to make a parallel interface.

BTW, have you considered renaming mod_auth_openpgp to mod_authn_openpgp, in keeping with the growing apache separation between authentication and authorization?

PS i haven't tried m_a_o yet, but i'm very interested in its potential. Thanks for your work on it!

[buanzo]

Users who have this need are probably already using the interface provided by mod_ssl's SSLPassPhraseDialog, as another poster suggested. If you want wider adoption of mod_auth_openpgp, it's probably best to make a parallel interface.

Yes, that's exactly what I'm going to do. Thanks for the extra pushing!

BTW, have you considered renaming mod_auth_openpgp to mod_authn_openpgp, in keeping with the growing apache separation between authentication and authorization?

I'm concerned about that. I'll probably rename it once mao gets to 1.0.0. I named it _auth because that's how I originally planned it, but once at 0.2.0 I realized the mistake.

PS i haven't tried m_a_o yet, but i'm very interested in its potential. Thanks for your work on it!

Hey, thanks! I'm currently working on the ImportKey handler, and some extra functionality that will allow Enigform (and other software, of course) to detect OpenPGP-enabled web servers, and act accordingly. For example, Firefox may provide a window where the user can decide if he wants to sign outgoing requests Always/Never/Ask_me and which key to use, etc...