Jamie Nicolson wrote: > OK, I've filed http://bugzilla.mozilla.org/show_bug.cgi?id=138273. > > Getting back to my original question, what's the rationale for having > the database token support as little as possible? Is this a FIPS > requirement? It is a hassle to unwrap a key on one token, then transfer > it to the other token in order to decrypt something.
It's so the crypto token get's preference for generic crypto operations. You don't want the internal token selected because you have to authenticate to it. Without the authentication issue, you would only need one token (that's the FIPS case. You always have to authenticate, so you are better off putting everything in one token. It's also an even bigger pain to move keys between FIPS tokens). bob >
