I agree. It would be useful on the client side.
PP
--- Sergio Gelato Sergio.Gelato@astro.su.se wrote:
Vasil Dimov wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Jun 21, 2005 at 10:29:37PM -0700, Peter
Pentes wrote:
Sorry, what I am referring to here is actually the passphrase for the private keys, and how Stunnel
does
not support encrypted private keys.
This would be useless. How do you expect the
passphrase for the
encrypted private key to be obtained at stunnel
startup?
By prompting the user, or by reading it from a configuration file.
On the client side, prompting the user isn't necessarily bad or even difficult.
I'll grant you that on the server side, or for unattended client-side operation, there is little (if any) actual security benefit from using a non-null passphrase and storing it in a separate file; however, some software (e.g., Java) does work that way, and I don't see any harm in having that possibility. There may also be some non-security benefits: I've seen at least one CA policy that requires private keys to be stored encrypted while not active, and if you want to comply with the letter of such a policy you may have to use a non-null passphrase.
____________________________________________________ Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com
-
Peter Pentes