Dave Pinn wrote:
> I need to clarify something: there are two states in which I can have my
> notebook (the one with the TPM):
> 
> 1. Certificates directly (via ProtectTools import function) and fully
> (the icons indicate that private keys are available) imported into the
> TPM. This is the state in which I found my machine at the end of the
> certificate purchase process that I described earlier in detail. In this
> state, Thunderbird *cannot* see the certificates; nor can certutil.

Out of idle curiosity, I'd be interested in what NSS's pk11util sees.
But even if I had that information, I couldn't do much with it.
It would be of diagnostic value to the HP folks, but otherwise there's
little I could do about it, even if I knew exactly what it was doing.

> 2. Certificates indirectly (via Thunderbird) imported into the TPM. In
> this state, Thunderbird can see and use the certificates to sign and
> validate signed e-mails;  but the icons in the ProtectTools Certificate
> Viewer show that the private key is not available. 

I suspect (guess) that this means that the imported private keys are just
that, imported, and therefore the TPM cannot provide any assurances that
there are no copies of these keys elsewhere (which is one of the main
benefits of a TPM, IINM).

> certutil *can* see the certificates (I will re-verify this later tonight). 
> It is unclear to me where the private keys are in fact stored; and that 
> is my only remaining concern.

/Nelson
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to