I am wondering just how bad openssl is ?
While one can find various software engineer faults, I think that main issue is
not that it is bad, it is that OpenSSL is written for cryptographic experts
not standard software developers.
The unfortunate thing is that most of the time the latter
passwords are insecure, PKCs are secure, therefore anything
that uses PKCs is magically made secure
Well as you said, you have to look at what happens in the real world. I would
argue PKCs make things obscure, which buys you a fair amount of security until
some undetermined point in time
Ian,
I've led or been involved with several projects in academia that have used
HSMs as a basis for a CA. I can't say I've done a cost analysis at the level of
granularity you seem to be looking for, but I will say that at a high-level,
the added personnel costs of integrating and maintaining
Bernie Cosell ber...@fantasyfarm.com writes:
On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
Yes, ideally people would have a separate, strong password, changed
regularly for every site.
This is the very question I was asking: *WHY* changed regularly? What
threat/vulnerability is