On 2010-04-08 22:17 PST, Anders Rundgren wrote: > Mountie Lee wrote: >> I mean CKA_EXTRACTABLE. >> as a Sub-CA, when they issue client certificate, they want to make sure >> the private key will [not] be exported outside of browser keystore. the >> only one exception is when the private key is in hardware token, it can >> be moved to other browser.
>> this is one of main reasons that many banks are not allow firefox. I >> have business account in Japanese banks. the bank authenticate client >> with certificate and private key. they keep strong policy that do not >> allow private key being exportable. > > Although the Mozilla people may express things differently, the source of > the problem is not in PKCS #11 (it has everything that is needed), but in > <keygen> since a CA has no options for key protection during issuance > using Firefox which it has using MSIE. Yes, I quite agree with you on this point, Anders. The problem is that the CA cannot express to Firefox that it wants Firefox to require that the generated key be unextractable. > It might be of interest knowing that hardly any bank in the EU (many use > soft certificates) have bothered with MSIE or Firefox keystores at all, > since banks require PIN-codes which is a feature they are accustomed > with. Due to this they have their own client software for both auth and > keygen. Yes, you've told us that frequently. Have you now written an add-on for Firefox and an .ocx or BHO for MSIE that implements the same new cert enrollment html or JavaScript feature in those two browsers? If so, please provide a URL for the web site describing them. Then we'll see if there's any follow-up interest here. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto