Howard Chu wrote:
It's clear that nobody in the standards organizations considers storing private keys in the directory to be a safe thing to do. IMO this is just a matter of password security and good ACLs, and the standards should not preclude the option. It is no worse than storing userPassword.
Comparing CA keys with "storing userPassword" is too fuzzy:
1. Because I'm eagerly trying to avoid super-mighty (proxy) roles a single compromised password hopefully does not have such a broad security impact like a stolen CA private key. And there's added 2FA to the mix for high security systems.
2. In my deployments I never store clear-text passwords in 'userPassword'. I store reversible encrypted shared secret with OATH-LDAP but they can only be decrypted by a process outside slapd.
So if you plan to store private keys of CAs in DIT without extra encryption solely relying on slapd's ACLs then IMO you have a pretty broad attack surface and I'd never recommend to anyone to use that.
Ciao, Michael.