Yes, a crypto card. But how can interface it in a windows box ? the engine method of openssl is not so clear to use and is limited to few crypto cards.
----- Original Message ----- From: "Bear Giles" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 18, 2002 1:28 AM Subject: Re: Client verification ? > > The CA root private key can be kept on a floppy > > or CD which is only inserted for signing to help prevent it being compromised. > > If you're really paranoid, get a set of java crypto cards and a reader. > Last time I checked (10 months ago?) cards were around $100/5, and a > reader + Linux development kit was around $50. > > In theory (read: I haven't actually gotten this to work yet, in part because > I've been doing more and more with OpenBSD instead of Linux) you can have > the card generate the root CA key and sign the top-level working certs. > The cards are then removed and locked in a safe. > > Unlike a floppy, a smart card can be configured to NEVER reveal the > private key. An attacker might be able to extract it by cracking the > smart card itself, but there are a lot of companies with compelling > interests in ensuring that this never happens. > > This isn't as sexy as one of those titanium-encased crypto boxes, but > it does give you good hardware protection of your root key at a price > that's affordable to individuals. Then again, at 200 servers even a > $10k crypto box is only $50/server. > > > > Also the certificate will have to be copied to all > > > systems that run our software. > > You only need to copy the root certificate, but that's easily handled > as part of your installation process. > > Bear > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
