-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 27 Apr 1999, Paul Rubin wrote:
>
> Very good question Wade - it was a topic of discussion in our
> office yesterday. My problem with the server prompting a
> password for cert files is that it impedes the automatic
> system startup on reboot. I would be very interested in
> hearing how this is handled for commercial (and mostly
> unattended) installations. What is industry "best practice"?
> My implementation is not for a web server, but for a highly
> available n-tier OLTP system.
>
I have ~400 sites to start so we have the passwords follow a schema that
is programmed into a startup program to start everything and then depend
on filesystem security to protect that program.
> If you need a lot of hits/sec (a smart card can't handle many) you can
> use a hardware accelerator like the Ncipher (what I'm using) or
> Rainbow accelerators. Ncipher has some patches for the Stronghold
> server to use their accelerator for SSL key management. It shouldn't
> be too hard to do something similar for modssl. They might even be
> willing to do it, if you were to offer to buy some accelerators from
> them. They have SSL acceleration (but not key management) patches for
> SSLEAY. Note, their box costs on the order of $10K (more or less
> depending on model). The IBM 4758 is a much less expensive ($2K) PCI
> plug-in card that's somewhat more flexible, but its software is more
> primitive. If I had the time though, I'd be trying to develop code
> for it and integrate it with openssl. It is a REALLY cool device.
> Anyway, if you have really serious SSL security requirements, this is
> the kind of stuff you have to use. You can't do it with pure
> software.
I use the nCipher boxes extensivly, they run from $4000-10,000 depending
on modle (the $10,000 version can do 300 sigs/sec while the $4000 does 75)
They are wonderful for taking the load off of the CPU so that it can
instead be bogged down running CGI's :-)
David Lang
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBNydVlj7msCGEppcbAQFrBgf/dj2qutrCPbLahZmVGOYhxGggn29fWsAI
w/2jrjvrSkpOduXGPEeduEoXHDTg9sLRxUkWmfJUwNNr+uhaLhF54UPoJvskr/LL
eo/E3mNzNg51HV26o5DM8kKY++PobkNio6XrzAP3wC2kt4dIN08MIHeO1F+S3DZg
rwWI/mt5okhOXNI9LkdLfjYJ6RmFj55dcgDww/sIK5bgfoAqo8HAOiHdykth8UgS
M14pU1tr+sin9x9oThfmQpDxJTlzo/M8AHLLeU7NpDR47OUsx+UP1UEoPtYl6ODY
wceYAVBMGqdPikr4xStISk+HYA4fupnJvErl7JnUxPdO5mzCV9db0A==
=cnAM
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
