|
|
Subscribe / Log in / New account

"Smaller attack surface"?

"Smaller attack surface"?

Posted Aug 14, 2025 17:51 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
In reply to: "Smaller attack surface"? by tialaramex
Parent article: NGINX adds native support for ACME protocol

> Certainly it would be possible for the software case, where the isolation is process isolation or similar rather than potentially separate hardware - still a significant obstacle for most realistic attacks.

Even for software-based HSMs the PKCS interface is not scalable. It's typically implemented with a big lock around the storage, essentially limiting it to a single thread.

> Also you could do something like RFC 9345 "Delegated Credentials", there the idea is you get a certificate but the signatures from the certified key are used to delegate a further credential, so maybe you make one delegation every 30 minutes

Another option is to use constrained intermediary CAs, but neither them, nor delegated credentials are widely supported.

to post comments

"Smaller attack surface"?

Posted Aug 14, 2025 22:57 UTC (Thu) by alp (subscriber, #136414) [Link]

Yeah, the locking is downright ugly, but for some applications, given the concurrent userbase size, and aggressive enough connection reuse and TLS session tickets, it works out.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds