Woogie, Makes sense. You are spot on with your assumptions. Thanks for your helpful opinion. /carl On Thu, Apr 1, 2010 at 10:18 AM, Woogie <woogie [ at ] gmail [ dot ] com> wrote: > I hate to dogpile, but yup, security is a process. If you could add > security to a product the way you add condiments to a burger at > Harvey's, the world would be a much safer place! > > That said, it sounds like you have a Linux system which users don't > routinely access (in other words, it boots and runs the programs you > want, but there's no default terminal access through sshd, a monitor, > or otherwise) The reason you put a passphrase on a certificate is to > protect the certificate from theft and malicious use - so if for some > reason the certificate file itself may be vulnerable to copying or > reading, you secure it with a passphrase which can't be copied as > easily (it's in somebody's head, it's in a script that most users > can't read, etc.) > > So in your case, I think that the security ramifications of using a > certificate with or without a passphrase are the same - you're > primarily concerned about attacks at the network level, including > traffic capture and analysis or man in the middle attacks. Both kinds > of certificate behave the same way in that regard. > > I'm taking some guesses there, please correct any poor assumptions. > > Woogie > > On Thu, Apr 1, 2010 at 9:59 AM, Spencer Cheng <scheng [ at ] aotera [ dot ] org> wrote: >> >> On Wed, Mar 31, 2010 at 14:55:04 -0400, piper.guy1 wrote: >>> On Wed, Mar 31, 2010 at 2:35 PM, Joe Burpee <jeb [ at ] burkby [ dot ] com> wrote: >>>> On Wed, Mar 31, 2010 at 12:54:20 -0400, piper.guy1 wrote: >>>>> 1. Can you create PEM's in OpenSSL without a passphrase? >>>> >>>> openssl req -nodes ... >>> >>> Now, as a newbie to security, what's my risk exposure? >> >> >> It's not that simple. How secure your system is a function of your threat model, how the system is designed and how it is implemented. Adding a certificate without password may or may not affect the security level of your system. >> >> Regards, >> Spencer >> >> _______________________________________________ >> Linux mailing list >> Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca >> http://oclug.on.ca/mailman/listinfo/linux >> > > > > -- > Evil will always triumph, because good is dumb > _______________________________________________ > Linux mailing list > Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > http://oclug.on.ca/mailman/listinfo/linux >