On 2009-06-01 06:31 PDT, Jan Schejbal wrote: > I did of course google and I did find the site you linked, but it did > not help me much, as I found no information what has to happen > server-side (or links to such information). I understand that the key is > generated, stored and a SignedPublicKeyAndChallenge POSTed to the server. > I had not recognized that SignedPublicKeyAndChallenge is a standard > format.
Well, I don't know if I'd call it "standard", but it's been in use by Mozilla (and before them, Netscape) browsers for over 10 years, and IIRC OpenSSL has support for it, so it's at least a /de facto/ standard. > After I found that out, it seems to be a bit clearer to me. I assume that > the server then may generate a certificate for that key and send it back > to the client. Yes. > Firefox will then probably install the certificate as a SSL client cert > and allow authentication. It will if the server sends it to the Firefox browser with the appropriate MIME content type for user certificates. See https://wiki.mozilla.org/CA:Certificate_Download_Specification > However, if this does not happen, i.e. for some reason the key gets > generated but the server fails to respond with a certificate, what will > happen with the key? As you've already discovered, they sit there in the key DB until they are deleted by some means. > As I already said, I did not find any UI (or any way at all for that > matter) for managing those keys, Firefox does not provide any UI for handling "orphan" keys. That's right. It's not a big tragedy. The minimum size of the key DB is large enough that it won't grow on disk until MANY keys have been stored in it. A few orphan keys won't even be noticed. > actually there seems no way to access or delete those keys at all. Is > there? No, there is not. See more info about orphan keys at https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=orphan+key&product=NSS&chfieldto=Now&order=Bug+Number > Jan -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
