Hi there! On Sat, 26 Mar 2011 18:57:26 +0100, Luca Capello wrote: > Indeed, the output certtool now displays when creating a CSR seems to me > a template, albeit it includes the CSR at the end. > > This is a big regression WRT to security and I do not share Simon's view > about putting password on files and protect them with restricted file > modes: by default, no password of any kind should be written on a file. > > IMHO Severity: should be more than important, but neither the definition > of serious nor the one of grave seemed to fit what I just wrote above.
Now that I fully tested the CSR generation (sorry, my fault for not having done this before), I am even more scared: ===== luca@gismo:~$ #certtool --generate-request \ --load-privkey pca.it.key --outfile gallery.pca.it.csr luca@gismo:~$ ls -la ~/ | grep .ssl drwx------ 4 luca luca 4096 Dec 10 00:10 .ssl luca@gismo:~$ ls -la ~/.ssl | grep private drwx------ 2 luca luca 4096 Mar 26 19:01 private luca@gismo:~$ ls -la ~/.ssl/private/ | grep gallery -rw-r--r-- 1 luca luca 4067 Mar 26 19:02 gallery.pca.it.csr ===== If certtool must continue including "useless" informations in the CSR output, at least it must create the output file with restricted file mode. Thx, bye, Gismo / Luca
pgpB7fa2seaKM.pgp
Description: PGP signature
