> That results in 2 questions from me: > > 1. What is the criteria of NSS for distinguishing between "own" and > "others" certificates? > > 2. I recently read that there is a hidden flag to mark a token > implementation as "friendly", allowing to search for certificates > without logging in. Is there any chance to set this via GUI, > about:config or hex editor? > The flag is supposed to be 'Publicly Readable Certs' (which is more descriptive), but it looks like modutil uses the older (and supposedly internal name which I came up while sleep deprived;) of FRIENDLY.
The reason it's not default is 2 fold: 1) there are some tokens in which you must log in to read *any* certs. Today this is rare. 2) almost all tokens mark the private key as private, and it's not even findable if the token has not been logged in. As Honras and Nelson pointed out, this is what makes a cert 'yours'. It's also used when deciding if a cert is usable for client auth or Email signing or decryption. To get around 2, NSS will look for a public key on the token with the same CKA_ID as the private key. NSS uses the existance of a public key to infer that the private key probably exists. If the token is marked with the publically readable certs/friendly flag, then NSS will not try to authenticate to it before looking up certs and depend on the public key semantics to identify 'user' certs. If your token does not have a public key for every private key with the matching CKA_ID, and you mark your token as friendly, your certs will not appear to be user certs and NSS will not attempt to use them. If you then explicity log in, everything will start working for that token again. This extra behavior is not required by PKCS #11, and that is why NSS requires explicitly setting that flag before it depends on that behavior. bob > > TIA > M.H. >
-- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
