[Openid-specs-fapi] Securing server keys

Anders Rundgren anders.rundgren.net at gmail.com
Wed Oct 6 16:17:55 UTC 2021 

On 2021-10-06 17:17, Tim Cappalli wrote:
> Most container platforms have a way of passing secrets securely to the container <https://docs.docker.com/engine/swarm/secrets/>.
> 
> The app could also leverage a KMS like Azure Key Vault <https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-node> or AWS KMS.

Thanx Tim!

I did not know about Docker's ability to import secrets.

I find it a bit depressing that TPMs after 20 years of TCG activity still can't be used for secure key generation and storage without requiring hard-to-find expertise.

I'm happy that the FIDO/WebAuthn folks got their act together [*].

Anders

*] Modulo payments :)

> 
> tim
> 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
> *Sent:* Wednesday, October 6, 2021 01:35
> *To:* Financial API Working Group List <Openid-specs-fapi at lists.openid.net>
> *Cc:* Anders Rundgren <anders.rundgren.net at gmail.com>
> *Subject:* [Openid-specs-fapi] Securing server keys
> Hi List;
> This is an off-topic posting but maybe you guys have an idea about this anyway? :)
> There are tons of applications out there that depend on private or secret keys for securing server-to-server communication.
> 
> This is a typical configuration:
> 
>    // Application certificate
>     cert: fs.readFileSync('cert.crt'),
>     // Private key associated with application certificate
>     key: fs.readFileSync('key.pem'),
>     // Public certificate chain.
>     ca: fs.readFileSync('ca.pem'),
> 
> Open question: How do you envision that this problem could be addressed?
> 
> thanx,
> Anders
>

More information about the Openid-specs-fapi mailing list