On Fri December 26 2008, Edward Diener wrote: > > From what others have written, I feel that I am right and coming up > with elaborate schemes of hiding the client certs from the end-user > until thay are actually going to be used by client application code in > making the connection is largely a waste of time. Instead we should be > ensuring that the server database and its data are protected from the > prying eyes of a destructive hacker. >
Yes, we are all on that same page. Sorry if my choice of words may have sounding insulting, it was not my intent. Presume the worst case, that all _communications_ security has failed - Now, look at what you can do in the environment you control, the server(s), to keep the information stored secure - whatever "secure" means in your application of an information storage system. If not already part of your delievered application, plan on some sort of client-awareness guide to policies they should implement at their end. End-to-end security always includes good client polices and practices. I can't be anything other than general, since I don't have the specifics. Again, I do not intend to be insulting by being general. Mike ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
