I'm adding in SSL into a closed-system/product. I'm concerned about the
protection of the client-side certificates. My (limited) understanding of
crypto
says that its critical to protect the client certificate otherwise
authentication
is compromised (anyone who can copy the client certificate can pretend
to be that client). That is the reason for the 'pass phrase' right ?
I'm wondering how other SSL systems get away without one.
For example, IIS Server and IE and Netscape clients never ask me for
pass phrases when using certificates. Does this mean as I suspect
that those products are not really secure ? Or have they found another
method to protect certificates from copying without requiring pass phrases ?
--------------------------------------------------
David A. Lee
Dal Enterprises Inc.
http://www.calldei.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
