>-----Original Message----- >From: Rich Salz [mailto:[EMAIL PROTECTED]] >Sent: 29 November 2001 12:12 >To: Owen Boyle >Cc: [EMAIL PROTECTED] >Subject: Re: Apache SSL Private Keys > > >The difference is that with a passphrase the rooter must be an active >attacker with an active compromise on your machine, as opposed to a >non-pass phrase which can be a passive attacker trying to >snarf a single >file. More than just warm fuzzy; the first is just downright harder. > /r$ >-- >Zolera Systems, Securing web services (XML, SOAP, Signatures, >Encryption) >http://www.zolera.com
I think your point is a moot one. After all, everyone stores their private keys as mode 0400 owned by user and group root, right? (At least, you should). That is stored in a directory that only root has access to. If you have any exploits on your machine that can retrieve a file like that, (eg file giveaways) you've got bigger problems than a pass-phrase could ever solve. Allegedly NCipher make a crypto card that can store the keys on it, which is supposedly secure, but since they haven't sent me a test one I don't know how secure that is. Physically it's highly secure, being coated in a thick resin that destroys the circuit board if you remove it. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
