Subrata, Subrata Mazumdar wrote: > > > Wan-Teh Chang wrote: >> On Sat, Sep 27, 2008 at 12:17 PM, Nelson B Bolyard >> <[EMAIL PROTECTED]> wrote: >> >>> Subrata Mazumdar wrote, On 2008-09-27 06:33: >>> >>>> Actually, the problem is even worse - some of the applications use >>>> unencrypted private key >>>> >>> That is precisely why NSS does not support PKCS#8 files. Applications >>> that generate private keys and then just leave them lying around in >>> unprotected files are having fun with cryptography, but aren't serious >>> about security. NSS is serious about security. >>> >> >> I am very interested in the secure solution to this problem: how to >> manage a large number of servers easily. It'd be cumbersome >> to have to enter the password for the private key to each of the >> servers. >> >> I suspect that some NSS-based servers read the password from >> an unencrypted file. Our selfserv test program has such an >> option (-f password_file). How does mod_nss solve this problem? >> >> >> Wan-Teh >> > I was wondering about this problem. I am also curious to find out what > is the best practice in > storing password for servers for accessing protected key stores. > -- > Subrata >
If you are only trying to protect the private key from being extracted, then the answer is obvious - don't use a software token, use an HSM that stores the key in such a way that it cannot be extracted. If you are trying to protect the private key from also being used improperly at any time, then I am not sure what the solution is for servers that need to run and start unattended. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
