> *shrug* it doesn't retroactively enforce the safety net - but that's ok,
> most MS products don't either :)

The whole point is to enhance common practice, not stay at the lowest
common denominator.

> Key management and auditing is pretty much external to the actual software
> regardless of which solution you use I would have thought.

You'd be wrong. :)  I did just download and use XCA for a little bit.
It's practically impossible to audit.  Every key in the database is
protected with the same password.  The system ask for the password
as soon as it starts up.  If I leave the program running while
I leave my computer, I'm screwed.  The key-holder isn't asked to
confirm each signing -- there's no *ceremony* -- and they never
enter the password after the program starts.  For any kind of root
these are all very bad.

XCA is pretty nice for a Level-2 or small Level-1 CA.  The template
management, etc., is pretty good.  (Having them tied to the key database,
and having the keys be unlocked while making cert requests, are both
real bad ideas, however.)

        /r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to