On Sat, Dec 27, 2008 at 07:33:19AM -0600, Michael S. Zick wrote:
> They have to "install" your application also. Let the installation
> and/or registration process write the button also.
> You can't write the button for the client, you don't have the client's
> private key (the only thing worth protecting).
>
> The topic of the thread was where to store the client side security
> information; the answer is: in a hardware token.
One answer is in a hardware token, but this is not the only answer. Let's
not get too hung up on the details of the private key store. The OP
has more important architectural issues to resolve first. Once those
are dealt with, perhaps the security model will make it attractive to
shield keys from disclosure via storage in hardware tokens, or perhaps
the risk of compromise will not warrant the cost of hardware tokens.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
