James wrote:
I am trying to mimic the handling of Certificates commonly seen in browsers
such as Mozilla - where the certificate is imported into a certificate
manager given a password. However, as the user requires the certificate in
any future sessions, the password is not needed in order to authenticate
themselves with a given site. Now I'm still trying to get a grasp of PKI
technology, but I'm assuming the browsers are just creating a keystore with
a password that is required prior to importing. But what allows the user to
access the keystore without needing a password to later retrieve the
certificate for authentication. Thanks for any explanations you might have.
James, It sounds like you think that mozilla requires passwords to
import certs (private keys, actually) but not to use them once imported.
I'm pretty sure that mozilla does require that the user be "logged in"
(authenticated) to the "software security device" in order to use them.
To test that, import your cert, then exit the browser and restart it.
I suspect you will find that you must enter your "master password"
before you can do client authentication with your cert.
It may be that your browser has been configured to only require login
once per browser "session" (that is, only once until the browser is
restarted). You can configure mozilla to prompt you for the master
password
- every time it is needed, or
- if it has not been used for N minutes or longer (you choose N), or
- only the first time it is needed (until the browser is restarted).
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
