On Tue, Mar 24, 2009 at 3:21 PM, Smita <vsmi...@gmail.com> wrote: > > Hello, > > I am putting forth the problem of client authentication handling in > Chrome, as I understand it. Kindly correct me if this isn't correct. > > I understand that SSL handshake fails when a server asks for the > client certificate. Currently there is no provision to extract the > PKCS#11 certificate of the client from a specified DB. The task > requires that the PKCS#11 certificate be extracted from the DB and > sent to the server.
Yes, your description of the problem is basically correct. The inaccuracy is in the use of the term "PKCS #11". The correct terms are "X.509 certficate" and "NSS DB". > Questions that arises here: how is the DB specified? Will it be a > specified path on the disk? Also, will the PKCS#11 be encrypted in the > DB? Hence, the application will have to decrypt it into plaintext and > then send it to the server. Chromium is not yet using an NSS DB, but we will need to use an NSS DB for the SSL client certificates. We will choose a path either in Chromium's user data directory or in a directory that can be shared with other applications. The latter is preferred. Certificates contain public information, so they don't need to be encrypted on disk. However, the associated private keys are encrypted with password-based encryption and stored in the NSS DB. Also note that the certificate and associated private key could be stored in a smart card, in which case NSS will talk to the smart card using the PKCS #11 API. Wan-Teh --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---