There is a certain tool that makes PEM files that contain unencrypted
private keys. The tool can be made to encrypt them, but does not
require that, and many users simply choose to skip it. Since we're trying
to promote real security, and not the willy-nilly use of keys, we want to discourage the use of files of plaintext private keys as a key transport mechanism. That, in a nutshell, is why mozilla only imports private keys
in PKCS12 format, which format does not define or allow the transport of unencrypted private keys.
This seems like an extremist approach. Users can always find ways to shoot themselves (for example having the password in plain text file next to the password protected private key).
Why not enable importing in PEM format as well, and in case the PEM is not protected by a password, inform the user of this fact and require the user to set a password?
People who encrypt their stuff are happy, people who don't encrypt get a nag and maybe learn a little about security and in the end will be happy as well...
-- Heikki Toivonen _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
