[Help-gnutls] About Future Plans: Private keys encrypted.
e_agf at yahoo.es
Tue Nov 15 20:52:43 CET 2005
I can see that certtool do not encrypt keys and not support some keys
generated with openssl (encrypted).
I can see :
> int gnutls_x509_privkey_import_pkcs8:
> This function will convert the given DER or PEM encoded PKCS8 2.0 encrypted key to the native gnutls_x509_privkey_t format. The output will be stored in key. Currently only RSA keys can be imported,
> and flags can only be used to indicate an unencrypted key.
I think that this is a very high risk security problem for applications that use a file key.
> Internet X.509 Public Key Infrastructure
> Certificate and CRL Profile
The protection afforded private keys is a critical factor in
maintaining security. On a small scale, failure of users to protect
their private keys will permit an attacker to masquerade as them, or
decrypt their personal information. On a larger scale, compromise of
a CA's private signing key may have a catastrophic effect. If an
attacker obtains the private key unnoticed, the attacker may issue
bogus certificates and CRLs. Existence of bogus certificates and
CRLs will undermine confidence in the system. If the compromise is
detected, all certificates issued to the CA shall be revoked,
preventing services between its users and users of other CAs.
Rebuilding after such a compromise will be problematic, so CAs are
advised to implement a combination of strong technical measures
(e.g., tamper-resistant cryptographic modules) and appropriate
Encryption in the first wall.
In CVS TODO I can not find something about this feature.
Any plans to make this posible in the future?
Thanks, in advance.
More information about the Gnutls-help