Heikki Toivonen wrote:
Julien Pierre wrote:
I believe (but am not sure) that PEM format may contain the object in plaintext, and thus is not a suitable secure transport format for a private key, unlike PKCS#12, which allows the key within the file to be encrypted, when you set a passphrase, and thus PEM is considered too insecure a format to support for NSS and Mozilla, at least as far as private keys are concerned.
I can protect PEM format objects with passphrases using OpenSSL.
Yes, but you don't have to. Most folks don't.
A .PEM file is a text file containing one or more blocks of lines with the following general format:
---- BEGIN something ---- (lines containing only base64 encoded data, typically broken at 64 columns) ---- END something ----
IIRC, this is called the "PEM" format because this general format was codified in the "Privacy Enhanced Mail" RFCs, which were predecessors of the S/MIME RFCs. See RFC 989 pages 11-15 for the original specification and examples.
Today, a "PEM" file can contain many different kinds of objects, including public keys, certificates, private keys (encrypted or not), cert signing requests, and lots of other goodies. The file extension "pem" only tells you that the file contains one or more goodies in that format. It doesn't tell you what the goodies are, and that file format doesn't (IMO) promote secure key storage and management.
There is a certain tool that makes PEM files that contain unencrypted
private keys. The tool can be made to encrypt them, but does not
require that, and many users simply choose to skip it. Since we're trying
to promote real security, and not the willy-nilly use of keys, we want to discourage the use of files of plaintext private keys as a key transport mechanism. That, in a nutshell, is why mozilla only imports private keys
in PKCS12 format, which format does not define or allow the transport of unencrypted private keys.
mozilla is able to import certs from files in pem format, provided that those files do not contain other types of goodies, IIRC. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
