"Robert Relyea" <[EMAIL PROTECTED]> schreef > > Yes, you can examine the entire life-cycle of the private key by > examining the code in mozilla/security/nss/lib/softoken. Also note that > these statements apply to the user's token, or permanment key. Temporary > or "session" keys stay in memory in the clear for the lifetime of the > key (though they are also cleared out after use). [...] > > Most of this you can verify by looking at the softoken. The other place > to look for is the PK11 wrapper code which does most of the key > movement, and pretty much the only other place you will find in the > clear key material. Victor's point about passwords would require > checking the password code in the application.
Thanks a lot for your interesting and clear response. This helps to prove my opinion that Netscape 6.2.* is quite safe regarding the memory-scan-attacks described earlier. When I find the time, I'll certainly have a look at the code sections you mentioned above. Thanks, Tom.
