Richard Levenberg wrote: > Neither RFC2511 or PKCS10 (Certificate Request specifications) mention > the use of SPKAC. I'm pretty sure that SPKAC doesn't fit within PKCS10 > but I've only cursorily looked at RFC2511 so I'm not positive that a > SPKAC couldn't be hammered in there somewhere. I know that many toolkits > handle the SPKAC but I was wondering if any specification included it a > a component of Certificate Requests.
Richard, I didn't recognize the term "SPKAC" and didn't find it anywhere in mozilla sources or documentation. So I did some digging and found this. The term "SPKAC" seems to be a term from OpenSSL documentation, a name for the format and content of the DER-encoded data sent by a Netscape or mozilla browser in response to a <KEYGEN> tag. NSS seems to call it a PKAC, which is short for "Public Key And Challenge". NSS has a structure named CERTPublicKeyAndChallenge for this. See http://lxr.mozilla.org/mozilla/search?string=PublicKeyAndChallenge I found only one function in NSS that knows anything about that. It is SECKEY_ConvertAndDecodePublicKeyAndChallenge. It parses an input DER-encoded PKAC, and it is not called from any NSS libraries or QA test programs. NSS has no code to create a PKAC, but PSM does. Therefore I consider NSS's PKAC code to be a misplaced part of PSM. PSM encodes PKACs, apparently for <KEYGEN> tags. See http://lxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsKeygenHandler.cpp#90 and http://lxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsKeygenHandler.cpp#574 Now, to your question, which I gather is essentially "What standard (if any) defines the PKAC that mozilla sends in response to <KEYGEN> tags?" I think the short answers are: a) I don't know yet, and b) probably none! I'll ask our PSM guru to look at this. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto