Eddy Nigg wrote:
On 12/27/2008 12:44 AM, Subrata Mazumdar:
A related question:
Is it possible to configure the NSS Soft-Token associated with the
internal slot like smart-card based token so that the private key key
cannot be exported out of the token?
If not, would it be useful feature to support?
Even in the token case, this is only true if the key was generated in the token. If 'key recovery' is turned on, NSS generates the key in softoken and writes it to the token (after wrapping it with the escrow key).

So it turns out even with crmf, escrow does not happen quietly. If the CA requests a key be escrowed, the user is notified:

http://mxr.mozilla.org/firefox/source/security/manager/ssl/src/nsCrypto.cpp#1905

bob
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to