Kyle Hamilton wrote, On 2009-04-23 14:02:
> Is there a pk1util that would allow for PKCS#1 management?  I think
> that would be more useful than requiring a self-signed public key
> wrapper for pk12util.

Private key storage is not within the scope of PKCS#1.
It is covered by PKCS#8.  NSS supports PKCS#8 fully, but deliberately
refuses to allow "bare" private keys to be exported in PKCS#8 format.

This is not a new policy decision, and goes back over 10 years.  MUCH
has been written on that.  I encourage you to read through the archives
about it.

The NSS team participated in the process of defining PKCS#12 precisely
to avoid the security trap of exporting private keys in PKCS#8 format.
Avoiding that trap is precisely why PKCS#12, and not PKCS#8, is THE only
format for private key transport supported by all of NSS, Microsoft and OpenSSL.
dev-tech-crypto mailing list

Reply via email to