According to Sylvain Cuaz <[EMAIL PROTECTED]>:
> So that is mozilla that generates a key pair and Thawte never sees my
> private key ?
Yes. Mozilla (actually its "NSS internal PKCS#11 module") generates the
key pair, and sends to Thawte the "certificate request", which contains
the public key and your "identification" (mostly your email address).
Thawte then performs some procedure to make sure that it is indeed your
certificate request (Thawte sends you an email). Then Thawte produces
your certificate (which contains your identification, your public key
and the Thawte signature) and sends it back to you. Mozilla stores that
then certificate with the private key.
External security devices (e.g., smartcards) can be plugged in Mozilla
as add-on PKCS#11 modules; in that situation, the key pair is generated
on the device, and the private key never gets out of the device.
--Thomas Pornin
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
