ftp://ftp.compaq.com/pub/products/security/embedded_security_-_implementation.pdf
...and as the ProtectTools implementation white-paper explains, their Embeded Security Manager uses the TPM to create wrapping keys, which are then used to encrypt the private keys of the user. The wrapped keys are then stored on the hard disk. So, Dave's key (the one generated by his CA) was probably never in the TPM, but it was wrapped by a key stored in the TPM. I wonder, could this be why the key could not be found in the PKCS#11 module? The HP implementation whitepaper makes it clear that: "The TPM can also protect keys generated outside ProtectTools Embedded Security. In this case, keys can be presented to the TPM through either the CryptoAPI or PKCS#11 interface." I would guess that these keys can also be accessed through the PKCS#11 interface, but... Regards, Peter _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto