[Help-gnutls] About Future Plans: Private keys encrypted.

Fran e_agf at yahoo.es
Tue Nov 15 20:52:43 CET 2005


Hello,
I can see that certtool do not encrypt keys and not support some keys
generated with openssl (encrypted).
I can see : 
> int gnutls_x509_privkey_import_pkcs8:
>  This  function  will convert the given DER or PEM encoded PKCS8 2.0 encrypted key to the native gnutls_x509_privkey_t format. The output will be stored in key.  Currently only RSA keys can be imported,
>        and flags can only be used to indicate an unencrypted key.

I think that this is a very high risk security problem for applications that use a file key.
And others:
> Internet X.509 Public Key Infrastructure
> Certificate and CRL Profile
           The protection afforded private keys is a critical factor in
           maintaining security.  On a small scale, failure of users to protect
           their private keys will permit an attacker to masquerade as them, or
           decrypt their personal information. On a larger scale, compromise of
           a CA's private signing key may have a catastrophic effect.  If an
           attacker obtains the private key unnoticed, the attacker may issue
           bogus certificates and CRLs.  Existence of bogus certificates and
           CRLs will undermine confidence in the system. If the compromise is
           detected, all certificates issued to the CA shall be revoked,
           preventing services between its users and users of other CAs.
           Rebuilding after such a compromise will be problematic, so CAs are
           advised to implement a combination of strong technical measures
           (e.g., tamper-resistant cryptographic modules) and appropriate

Encryption in the first wall.
In CVS TODO I can not find something about this feature.

Any plans to make this posible in the future?

Thanks, in advance.


--
Fco. J.





More information about the Gnutls-help mailing list