As I was reading this very interesting thread, I kept asking myself
"what are we trying to protect". Are we trying to protect a "Private
Key" or a "PKCS#12" file? I suppose the consensus of the community,
based mainly on compatibility issues, is that we can't avoid the
solution of a PKCS#12
Basically I like the new wording:
> PKCS#12 files [...] SHALL have a password containing at least 112 bits
> of output from a CSPRNG, [...]
But I think there is a practical problem here: Directly using the output of any
random number generator ("C" or not) to generate a password will lead to
2 matches
Mail list logo