On Thu, Apr 8, 2010 at 10:08 AM, Nelson B Bolyard <nel...@bolyard.me> wrote: > > A PKCS#11 CSP can indeed choose to make private keys exportable or not. > A FIPS mode CSP will generally make private keys unexportable. > NSS's NON-FIPS PKCS#11 CSP can also make non-exportable keys, IIRC, > but Firefox offers no option to set that attribute on new keys when > creating or importing them.
There are two PKCS #11 key attributes related to this issue. CKA_EXTRACTABLE: this is what Mountie Lee asked about. Keys with this attribute set to false cannot be exported in either plaintext or wrapped (encrypted) form. CKA_SENSITIVE: this is the attribute we set in FIPS mode. Private and secret keys can be exported but must be wrapped (encrypted). Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto