hi sorry.
I made mistake.
exportable -> unexportable
Mountie
2010. 4. 9. 14:17 Anders Rundgren <anders.rundg...@telia.com> 작성:
Mountie Lee wrote:
I mean CKA_EXTRACTABLE.
as a Sub-CA, when they issue client certificate, they want to make
sure the private key will be exported outside of browser keystore.
the only one exception is when the private key is in hardware
token, it can be moved to other browser.
I didn't get that one. Why do they want keys to be exportable? I
thought it was the opposite.
this is one of main reasons that many banks are not allow firefox.
I have business account in Japanese banks.
the bank authenticate client with certificate and private key.
they keep strong policy that do not allow private key being
exportable.
Although the Mozilla people may express things differently, the
source of the problem is not in PKCS #11 (it has everything that
is needed), but in <keygen> since a CA has no options for key
protection during issuance using Firefox which it has using
MSIE.
It might be of interest knowing that hardly any bank in the EU
(many use soft certificates) have bothered with MSIE or Firefox
keystores at all, since banks require PIN-codes which is a feature
they are accustomed with. Due to this they have their own client
software for both auth and keygen.
Anders
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
