I feel that the binary states of "secure" / "insecure" is an over-simplification, as there is no such thing as "secure". You can only say that you've put a certain amount of educated, best you can do within your budget, effort into making it secure. Security is best achieved by deciding who you want to secure against and then doing your best to secure against those "attackers" - but as we all know, new "attackers" can appear making all previous effort null and void...
To avoid single point of failure, and "make it harder", best practice says that security is implemented in independent layers. This gives the "defender" more time to detect /catch /stop the intrusion. Take a bicycle, and leave it in the city centre with some string attaching it to a lamp post... no particular deterrent. Add a 150 euro lock - makes things harder. Put an armed guard on the bicycle. It still isn't "secure" - someone who was really determined could still take it... but you've raised the bar beyond what most attackers are prepared to attempt... In the case of passphrase security, it is just another layer - english gives of the order of one bit of entropy per character so the passphrase has to be very long to be worth more than a piece of string holding that bicycle :-) Sean O'Riordain Owen Boyle wrote: > > Logically, you machine can be in only one of two states; secure or > insecure: > > (1) If you have a secure machine, a passphrase is unnecessary - so you > don't need it. > > (2) If you have an insecure machine, a passphrase is useless - so you > still don't need it. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
