Hi. I comment below lines.
On Fri, Apr 9, 2010 at 4:12 AM, Nelson B Bolyard <nel...@bolyard.me> wrote: > On 2010/04/08 10:53 PDT, Wan-Teh Chang wrote: > > On Thu, Apr 8, 2010 at 10:08 AM, Nelson B Bolyard <nel...@bolyard.me> > wrote: > >> > >> A PKCS#11 CSP can indeed choose to make private keys exportable or not. > >> A FIPS mode CSP will generally make private keys unexportable. > >> NSS's NON-FIPS PKCS#11 CSP can also make non-exportable keys, IIRC, > >> but Firefox offers no option to set that attribute on new keys when > >> creating or importing them. > > > > There are two PKCS #11 key attributes related to this issue. > > > > CKA_EXTRACTABLE: this is what Mountie Lee asked about. Keys with > > this attribute set to false cannot be exported in either plaintext or > wrapped > > (encrypted) form. > > I agree that extractable is the attribute that most closely resembles the > attribute supplied in Microsoft CSPs. > > > CKA_SENSITIVE: this is the attribute we set in FIPS mode. Private and > > secret keys can be exported but must be wrapped (encrypted). > > I'm not sure which of these is the one that Mountie wants. > Mountie, please tell us. > > I mean CKA_EXTRACTABLE. as a Sub-CA, when they issue client certificate, they want to make sure the private key will be exported outside of browser keystore. the only one exception is when the private key is in hardware token, it can be moved to other browser. this is one of main reasons that many banks are not allow firefox. I have business account in Japanese banks. the bank authenticate client with certificate and private key. they keep strong policy that do not allow private key being exportable. -- > > 12345678901234567890123456789012345678901234567890123456789012345678901234567890 > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- Mountie Lee Tel : +82 2 2140 2700 E-Mail : moun...@paygate.net Twitter : mountielee ======================================= PayGate Inc. * WEB STANDARD PAYMENT * PCI DSS v1.2 COMPLIANT * www.paygate.net * payg...@paygate.net
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
