[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] "--askpass file" is evil!

Jean-Pierre Schwickerath wrote:

Every decent program storing certificates should allow the user to decrypt his/her certificate with the password supplied by the CA and then reencrypt it with a passphrase chosen by the user.

Changing a passphrase is certainly possible with SSL. Code can also be included to enforce strong passphrases. These are good things but, however strong or however repeatedly changed a passphrase is, if it's stored on the same disk as the key, then it's pointless. You may as well not have a passphrase at all. It adds nothing to the security of the system.

We're relying on _posession_ of a private key and _knowledge_ of a passphrase to authenticate someone whose identity we cannot verify any other way. With the passphrase on disk, it becomes posession of the key file and posession of the passphrase file. In a lot of cases, that just amounts to posession of the laptop they're both stored on. The two aspects of the authentication have to remain seperate for the procedure to be viable.

Unless you're into biometrics, then the only way to maintain that separation is to have the passphrase stored nowhere except in the memory of the owner of the key. If it gets forgotten then that's tough. They have their certificate revoked and a new one signed/assigned

In the end, the user has to bear some responsibility for the security of their identification.


Openvpn-users mailing list