> It's not a joke, it's a fact. And in my opinion it's MUCH better to use a > small encrypted partition so store a startupcript with passphrases then to > just have the script lying around on the server. If you have a better > solution I'd like to see it.
To be honest it doesn't really matter because in order for OpenSSL to accept new SSL connections it needs to have a copy of the private key in memory. nCipher showed a while ago how easy it was to search huge amounts of memory looking for a private key. All you need is a rogue CGI script and an OS that lets you examine your own memory. Adding passphrases to the keys or storing them in a encrypted partition doesn't really get you any additional level of security. If you're worried about your private keys you need to keep them (and do your key operations) in hardware (nCipher, Broadcom etc). Mark -- Mark J Cox ........................................... www.awe.com/mark Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]