> Netscape servers have PKCS11 support so you can store the key in a
> secure token (i.e. smart card). I think it would be good if modssl
> also supported something like this.
mod_ssl already _DOES_ support this ;) All you've to write is
a program for your particular smartcard which is able to write
the retrieved pass phrase to stdout. You can plug such a
program directly into mod_ssl's pass phrase handling by using
"SSLPassPhraseDialog exec:/path/to/your/program". That's
all. What I'll definitely not do is adding any
smartcard-vendor-specific code into mod_ssl.
Storing the pass phrase on a smart card is preferable to storing it
on disk, but it doesn't really secure the secret key. If the smart
card just sends the pass phrase to the server, the server decrypts
the secret key and has it in memory, from which it gets written out
to swap space, and later when the computer is scrapped someone can
recover it, and so forth.
A proper PKCS11 solution is to keep the private key on the card and do
the RSA signature entirely on the card. This is what I'm suggesting
that modssl should support. Not in a vendor specific way, but just
to support the PKCS11 commands to do the secret key operations.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
