[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] "--askpass file" is evil!

  • Subject: Re: [Openvpn-users] "--askpass file" is evil!
  • From: awilliam@xxxxxxxxxxxxx
  • Date: Fri, 3 Dec 2004 09:15:27 -0500 (EST)

> > Every decent program storing certificates should allow the user to
> > decrypt his/her certificate with the password supplied by the CA and
> > then reencrypt it with a passphrase chosen by the user.
> Changing a passphrase is certainly possible with SSL. Code can also be
> included to enforce strong passphrases. These are good things but, however
> strong or however repeatedly changed a passphrase is, if it's stored on the
> same disk as the key, then it's pointless. You may as well not have a
> passphrase at all. It adds nothing to the security of the system.
> We're relying on _posession_ of a private key and _knowledge_ of a passphrase
> to authenticate someone whose identity we cannot verify any other way. With
> the passphrase on disk, it becomes posession of the key file and posession of
> the passphrase file. In a lot of cases, that just amounts to posession of the
> laptop they're both stored on. The two aspects of the authentication have to
> remain seperate for the procedure to be viable.

You're assumptions are ruling out legitimate use cases.  laptop?  What 
laptop?  How about connections that need to be completely automated 
because there isn't a user there to enter a passphrase?  And the system is 
mounted in a rack inside a concrete room with a locked steel door?   Of 
course you also have to pass the front desk, security cameras, and at 
night there are that those pesky door sensors hooked into the alarm 

If your argument is true then ***SSH*** is broken because you can automate 
connections with key exchanges.  All you need is to get the keys!
> In the end, the user has to bear some responsibility for the security of their
> identification.

In the end the user bears all the responsibility for the security of their 
identification,  software should permit for as wide a range of use cases 
as possible; selecting the proper tools and configuration is the job of 
educated people.

Openvpn-users mailing list