"Eric W. Bradway" wrote:
>
> > > > private-key be stored on a smart-card. However you do it, your
> > > > guarentee of client id is only as secure as that private key.
> > > So, how do the browsers manage the private-key? Is it only
> > > the OS that prevents unauthorized access to it?
> >
> > whole system. How this is implemented I really don't know, so can't
> > tell you a whole lot more.
>
> When you store a key in IE/WinX, you are given a choice of 'security
> level' for the key: low, medium, high. Low doesn't require any
> authentication to use the key, medium requires password authentication
> once per login session, and high requires password authentication on every
> key use.
>
Actually medium doesn't require password authentication (other than
having to login as the relevant user) it just throws up a dialog box
asking for confirmation of the operation.
The original poster also asked about Netscape. Netscape stores key
encrypted with a password in the key3.db file using the triple DES
algorithm. The precise format is documented in several places including
my home site and the mozilla site.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
