Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 28724 invoked by uid 500); 18 Nov 2002 09:45:38 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 28713 invoked from network); 18 Nov 2002 09:45:37 -0000 Received: from unknown (HELO mail2.heckettmultiserv.com) (194.200.135.248) by daedalus.apache.org with SMTP; 18 Nov 2002 09:45:37 -0000 Received: FROM mail.heckettmultiserv.com BY mail2.heckettmultiserv.com ; Mon Nov 18 09:48:14 2002 0000 Received: by mail.hme.harsco.com with Internet Mail Service (5.5.2656.59) id ; Mon, 18 Nov 2002 09:47:38 -0000 Message-ID: From: "Howarth, Richard" To: "'users@httpd.apache.org'" Date: Mon, 18 Nov 2002 09:47:37 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: text/plain; charset="iso-8859-1" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: RE: [users@httpd] RE: ssl pass phrase dialog on startup > Having said that, my personal opinion is that there not much point to > the passphrase - an SSL server should be highly secure > anyway, with the > cert readable only by root so theft of the cert should be as difficult > as finding out the passphrase - i.e. anyone who can copy the > cert has to > have root privilege and so would know the passphrase anyway. Or it can be as easy as obtaining a backup - either by theft, careless handling of backup media or simply making an offer to a lowly paid operator that they can't refuse. The certificate can then be restored and used without recourse to root privilege. Once it is out in the wild, you have lost it. > I think the > safest way to run is without passphrase but with a highly secure > webserver. The passphrase is another layer in the security onion. Whether or not you should be using it will depend upon the nature of your business, your local data protection laws and what the people who audit your company accounts and practices think. For private use and small business it may not be an issue, but in an increasingly litigious world it is worth thinking twice before making yourself culpable by willfully failing to implement or circumventing a security feature. Richard. IMPORTANT INFORMATION & CONFIDENTIALITY NOTICE The information in this Email is confidential and may be legally privileged. It is intended solely for the named recipient. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient or the employee or agent responsible for delivering the message to the recipient named, please note that any use, disclosure, copying, distribution of this Email or any action taken or omitted to be taken in reliance on it is prohibited. If you are not the intended recipient, please inform us by returning a copy of the Email with the subject line marked "wrong address" and then deleting the Email, and any attachments and any copies of it. Any questions should be directed to mailto:administrator@harsco.com Harsco uses regularly updated anti-virus software in an attempt to reduce the possibility of infection. However we do not guarantee that any attachments to this email are virus free. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org