[Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys
Adam Young
ayoung at redhat.com
Wed Aug 3 16:38:45 UTC 2011
On 08/03/2011 12:21 PM, Ian Stokes-Rees wrote:
>
> On Wed Aug 3 10:37:45 2011, Stephen Gallagher wrote:
>> As a general rule, I would think that having your private key stored
>> somewhere that an admin other than yourself can reset the password and
>> have access to would be really dangerous. Most especially if this
>> private key was being used to access sites in other administrative
>> domains.
>>
>> That really sounds like an accident waiting to happen...
> If you are concerned about that, then don't make use of a centralized
> keystore.
>
> You may be a security expert and have a deeper understanding of this
> than I do, but from my limited experience and knowledge of security
> audits and risk assessment, if you don't trust your system
> administrators then you have a whole heap of other issues you need to
> contend with.
>
> Consider that the FreeIPA server is probably *more* secure than the
> user-accessible systems and file servers. If someone with
> administrative (root) privs for the part of the system where I store my
> passphrase encrypted private key would be the kind of person who would
> take the private key from a central keystore, if it existed, then do
> you not think they could get my passphrase and/or cleartext private key
> from the system *without* a central keystore?
I think that it is a case of "Just becasue I am paranoid doesn't mean
they are not out to get me." Its not that we don't trust sys admins, it
is that we don't trust anyone.
Typically, instead of trusting anyone, sysadmin or no, with long term
access to keys, you might provide a window in which they know the shared
secret in order to reset the key, but not to make that a permanent
relationship.
I think what you are interested in is the Data Recovery Manager
(DRM...hey, we had the acronym first, but we also call it Key Recovery
) aspect of Certificate Server.
Here's the redhat docs on it
http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/7.1/html/Administrators_Guide/kra.html#22604
And from the RPM
That is not integrated into FreeIPA, but the packages are in Fedora as
pki-kra
The Data Recovery Manager (DRM) is an optional PKI subsystem that can act
as a Key Recovery Authority (KRA). When configured in conjunction with the
Certificate Authority (CA), the DRM stores private encryption keys as
part of
the certificate enrollment process. The key archival mechanism is triggered
when a user enrolls in the PKI and creates the certificate request.
Using the
Certificate Request Message Format (CRMF) request format, a request is
generated for the user's private encryption key. This key is then stored in
the DRM which is configured to store keys in an encrypted format that
can only
be decrypted by several agents requesting the key at one time, providing for
protection of the public encryption keys for the users in the PKI
deployment.
> This is not to say there aren't arguments against it: a policy mix up
> or a bug in the central keystore could lead to *all* users having their
> private keys compromised, and an admin who can dip in and grab private
> keys without any evidence would also be bad, but hopefully the "Audit"
> part of IPA means that any access to private keys will be securely
> logged, and flagged if they are by users other than the "owner" of the
> private key.
>
> This is a topic that is very important to me, so I'm quite interested
> to hear how my reasoning may be flawed, or to hear opinions from others.
>
> Regards,
>
> Ian
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110803/45fd7d5e/attachment.htm>
More information about the Freeipa-users
mailing list