Best Practices for private key files handling

Michael Ströder michael at
Sun Sep 18 10:26:30 UTC 2022

On 9/18/22 06:09, Philip Prindeville wrote:
>> On Sep 15, 2022, at 4:27 PM, Michael Wojcik via openssl-users <openssl-users at> wrote:
>> You still haven't explained your threat model, or what mitigation
>> the application can take if this requirement is violated, or why
>> you think this is a "best practice". >
> The threat model is impersonation, where the legitimate key has been
> replaced by someone else's key, and the ensuing communication is
> neither authentic nor private.

Maybe I'm ignorant but shouldn't this be prevented by ensuring the 
authenticity and correct identity mapping of the public key?

More information is needed about how you're system is working to comment 
on this.

Ciao, Michael.

More information about the openssl-users mailing list