On Tue, Mar 24, 2009 at 3:21 PM, Smita <vsmi...@gmail.com> wrote:
>
> Hello,
>
> I am putting forth the problem of client authentication handling in
> Chrome, as I understand it. Kindly correct me if this isn't correct.
>
> I understand that SSL handshake fails when a server asks for the
> client certificate. Currently there is no provision to extract the
> PKCS#11 certificate of the client from a specified DB. The task
> requires that the PKCS#11 certificate be extracted from the DB and
> sent to the server.
Yes, your description of the problem is basically correct. The
inaccuracy is in the use of the term "PKCS #11". The correct
terms are "X.509 certficate" and "NSS DB".
> Questions that arises here: how is the DB specified? Will it be a
> specified path on the disk? Also, will the PKCS#11 be encrypted in the
> DB? Hence, the application will have to decrypt it into plaintext and
> then send it to the server.
Chromium is not yet using an NSS DB, but we will need to use
an NSS DB for the SSL client certificates. We will choose
a path either in Chromium's user data directory or in a directory
that can be shared with other applications. The latter is preferred.
Certificates contain public information, so they don't need to
be encrypted on disk. However, the associated private keys
are encrypted with password-based encryption and stored in
the NSS DB.
Also note that the certificate and associated private key could
be stored in a smart card, in which case NSS will talk to the
smart card using the PKCS #11 API.
Wan-Teh
--~--~---------~--~----~------------~-------~--~----~
Chromium Developers mailing list: chromium-dev@googlegroups.com
View archives, change email options, or unsubscribe:
http://groups.google.com/group/chromium-dev
-~----------~----~----~----~------~----~------~--~---
