(an opinion)
> Just a thought. To secure the key, it may be necessary to put the key on a
> different machine. When the web server needs it, get it from there. After
> using it, erase it from memory. This solves the core dump problem.
No, I don't think so... The other machine has to decide, if it should send
the key or not. The program has to do some checks or so, but the hacker
could use a wrapper around httpd or simulate the request for the key -
it's easy to fake I think.
I think there wouldn't be *any* good solution at all, since a hacker could
fake all data/information that could be used as authorization...
The hacker could do anythink the server itself could do...
Even the pass phrase input from console could be passed through a kind of
wrapper or so...
I think: You can protect your key with anything, but if a hacker gained
root access, he can get the key!
oki,
Steffen
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]