The question is this: is it possible for the server that issues/stores user certificates to instruct the PKCS#11 Module not to store the private key (or certificate) in any kind of persistent store? There are two scenarios where we might want to apply this, 1) when the browser generates a key pair - because we may choose to issue the user with a very short lived certificate every time they log in.
If you generate the keypair locally, you have to do it with a given PKCS#11 module : ie. persistent NSS security database, temporary key object, or smartcard with 3rd party PKCS#11 module. The server can have no guarantee that the key won't be persistently stored in whatever device it was generated. You could wish to modify the software to generate the key only temporarily and not store it, but it could be circumvented by modifying the software.
It sounds like what you want to do is have a short validy period on the certificate that is issued, and/or have the server automatically revoke the certificate.
That would of course assume that all your other infrastrcture pieces support revocation, either through OCSP or CRLs.
2) when we deliver the private key along with the certificate - because we may choose to generate the key pair server side so we can create a long lived certificate and simply reissue it. Of course we would also like to avoid the need for a user to ever set a master password in the
browser.
If you generate the keypair on the server side, the only practical way for the client to use it is to deliver it to the client, which can then do whatever he wants with it - legitimate or not. There is nothing you can do against that. You will only waste cycles on your server side generating the keypair. Look into regenerating keypair on the client and having the server issue the cert at login time, and use revocation mechanisms for access controls on backends to check the certs.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
