Ben Laurie wrote:
> Boyce, Nick wrote:
> >
> > OK. I'm confused (;-). I thought I understood the
> > load-the-certificate-at-Apache-startup issue, but then ...
> >
> > On 28th.April,1999 Paul Rubin wrote :-
> >
> > > If you need a lot of hits/sec (a smart card can't handle many) you can
> > > use a hardware accelerator like the Ncipher (what I'm using) or
> > > Rainbow accelerators
> >
> > and now I'm lost again. Surely the certificate only needs to be loaded (and
> > therefore the passphrase needs to be entered) *once* after Apache startup ?
> > Are you saying it has to be loaded every time the server gets a hit from a
> > browser !!???!?!
>
> If all you do is load the private key (note, the cert is public anyway,
> so why protect it?) from the smartcard, why bother with a smartcard?
Actually, the private key stays on the smartcard. Data must be transfered to the
smartcard for signing. That is why smartcards would presumably slow down SSL.
That is also why the smartcard is more secure than a software solution. In order
to
access the key, one needs the smartcard itself, whereas a software key can be
copied.
-Roland
S/MIME Cryptographic Signature
