On 2010/04/08 10:53 PDT, Wan-Teh Chang wrote: > On Thu, Apr 8, 2010 at 10:08 AM, Nelson B Bolyard <nel...@bolyard.me> wrote: >> >> A PKCS#11 CSP can indeed choose to make private keys exportable or not. >> A FIPS mode CSP will generally make private keys unexportable. >> NSS's NON-FIPS PKCS#11 CSP can also make non-exportable keys, IIRC, >> but Firefox offers no option to set that attribute on new keys when >> creating or importing them. > > There are two PKCS #11 key attributes related to this issue. > > CKA_EXTRACTABLE: this is what Mountie Lee asked about. Keys with > this attribute set to false cannot be exported in either plaintext or wrapped > (encrypted) form.
I agree that extractable is the attribute that most closely resembles the attribute supplied in Microsoft CSPs. > CKA_SENSITIVE: this is the attribute we set in FIPS mode. Private and > secret keys can be exported but must be wrapped (encrypted). I'm not sure which of these is the one that Mountie wants. Mountie, please tell us. -- 12345678901234567890123456789012345678901234567890123456789012345678901234567890 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
