"Brian A. Seklecki" <lavalamp@spiritual-machines.org> writes:
> If a "bad person" were to somehow obtain a copy of the source code with a
> password embedded in the connect string (Steal it from a developer who
> uses Windows, or maybe convince Apache to not interpret PHP before sending
> to the client, something stupid like that), they would still be unable to
> connect without a client certificate.
So they steal the client certificate file instead of (the file
containing) the password. How exactly is this more secure?
regards, tom lane