> If you are only trying to protect the private key from being > extracted, > then the answer is obvious - don't use a software token, use > an HSM that > stores the key in such a way that it cannot be extracted.
And when Julien says HSM, a USB crypto token would provide security vastly superior to a password protected PKCS#8/12. He probably means hardware token in general, which is good advice. > If you are trying to protect the private key from also being used > improperly at any time, then I am not sure what the solution is for > servers that need to run and start unattended. Some HSMs have provisions for even this sort of thing. You create quorums of cards with an n of k scheme where you need at least n out of k cards to enable the use of a particular key which implies multiple people are to be involved in the key activation. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
