On Wed, Jul 15, 2009, tito wrote: > thank you for replying.. > > This is what I can conclude from the inputs i got. > > 1. Mozilla has no way to lock/disable the private key export when we export > the certificate. > > 2. I would have to trust my agents/or write in contract , that he will not > use the certificate other than the designated PC where the request for the > certificate was done. > > If anyone is having any other opinions about it.Please let me know. Thanks a > lot. >
It seems your threat model is only against a non-tech savvy user. MSIE unexportable private keys can be exported if you know how and even if you could enforce greying out of the Mozilla export option the certificate and key database files are easily backed up anyway. A possibility would be to use a PKCS#11 soft-token which wont export keys. I'm not aware of any such thing but it could be done. It would need to encrypt it's key database in such a way that it would only work on one PC. Again a knowledgeable user could easily bypass that and nothing short of a hardware token would help against that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
