Re: [stunnel-users] Passphrase validation
I agree. It would be useful on the client side. PP --- Sergio Gelato <[email protected]> wrote:
Vasil Dimov wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Jun 21, 2005 at 10:29:37PM -0700, Peter Pentes wrote:
Sorry, what I am referring to here is actually the passphrase for the private keys, and how Stunnel does not support encrypted private keys.
This would be useless. How do you expect the passphrase for the encrypted private key to be obtained at stunnel startup?
By prompting the user, or by reading it from a configuration file.
On the client side, prompting the user isn't necessarily bad or even difficult.
I'll grant you that on the server side, or for unattended client-side operation, there is little (if any) actual security benefit from using a non-null passphrase and storing it in a separate file; however, some software (e.g., Java) does work that way, and I don't see any harm in having that possibility. There may also be some non-security benefits: I've seen at least one CA policy that requires private keys to be stored encrypted while not active, and if you want to comply with the letter of such a policy you may have to use a non-null passphrase.
____________________________________________________ Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com
participants (1)
-
Peter Pentes