[stunnel-users] Passphrase validation
Peter Pentes
colemanboy at yahoo.com
Thu Jun 23 01:34:17 CEST 2005
I agree. It would be useful on the client side.
PP
--- Sergio Gelato <Sergio.Gelato at astro.su.se> wrote:
> Vasil Dimov wrote:
>
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >On Tue, Jun 21, 2005 at 10:29:37PM -0700, Peter
> Pentes wrote:
> >
> >
> >>Sorry, what I am referring to here is actually the
> >>passphrase for the private keys, and how Stunnel
> does
> >>not support encrypted private keys.
> >>
> >>
> >
> >This would be useless. How do you expect the
> passphrase for the
> >encrypted private key to be obtained at stunnel
> startup?
> >
> >
> By prompting the user, or by reading it from a
> configuration file.
>
> On the client side, prompting the user isn't
> necessarily bad or even
> difficult.
>
> I'll grant you that on the server side, or for
> unattended client-side
> operation, there is little (if any) actual security
> benefit from using a
> non-null passphrase and storing it in a separate
> file; however, some
> software (e.g., Java) does work that way, and I
> don't see any harm in
> having that possibility. There may also be some
> non-security benefits:
> I've seen at least one CA policy that requires
> private keys to be stored
> encrypted while not active, and if you want to
> comply with the letter
> of such a policy you may have to use a non-null
> passphrase.
>
____________________________________________________
Yahoo! Sports
Rekindle the Rivalries. Sign up for Fantasy Football
http://football.fantasysports.yahoo.com
More information about the stunnel-users
mailing list