Looking at some comments from Peter Guttman from way back he reports having a large collection of PKCS#12 files with private keys and no password.
Ooops So I am wondering if this might be one of the holes being exploited? It would be consistent with a lot of what we have heard. There seem to be several issues 1) Chronic usability issues on Windows re PFX PKCS#12 which leads users to export without a password 2) Weak cipher suites. The strongest seems to be 3DES, I suspect the default is RC4 which is one of the ciphers I trust least right now. The ciphersuites issue seems to be a real problem. PKCS#12 does not use standard identifiers so a new one has to be cut each time and because it is a low priority it tends to lag. It is also unnecessarily captive to the legacy base. There is a draft to update PKCS#12 and to put it under IETF control. I think it needs to be given a higher priority (the draft has expired BTW). It could also do to have some examples. I am finding the draft very opaque without. http://tools.ietf.org/html/draft-moriarty-pkcs12v1-1-01 -- Website: http://hallambaker.com/
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
