Thanks a lot for the reply David. First I will explain my threat model. I have got lot of employees who do some transactions around the world sitting in their branch offices and I need to authenticate them using DC. So they raise a request from their browser and I provide them with a certificate from my openssl.The browser will be in the PC of the office branches.
Now the threat is, If an agent export the certificate he acquired in a USB or in someother way and goes to his home pc or somewhere else and he imports the certificate to his personal PC and started doing transactions.This cannot be allowed and the agent should do only transactions from his office PC allotted to him. As you have said, simply graying out the option to export the key is sufficient. But the agent is a franchisee and I cannot force them to install or do something in their pcs,nor can I check whether they are ensuring the instructions.So I cannot force or tell the agent to do some configuration/modification in his PC or browser. if he uninstalls and deletes the certificates/browser or change his PC ,I shall issue him a new certificate. He shouldnt be able to export/backup the private key or the certificate I have issued to him. Also this is not an issue in IE , as I can disable the option to export the private key.So in IE, this requirement works well. But I cannot enforce the agents to use Windows/Linux or IE /Mozilla.The agents have the choice of infrastructure they can use.So I cannot enforce them to use IE or Windows. 2009/7/15 David Schwartz <dav...@webmaster.com> > > tito wrote: > > > I have used SPKAC format to request a digital certificate from mozilla > > and signed the request with my master key from open ssl and imported it > > to my mozilla. I can readily export (backup)the private key + certificate > > from mozilla and import it to some other system's mozilla browser. I dont > > want this to happen. I dont want the private key to be exported. is there > > any option in openssl to disable this. > > It's not really possible to give you useful advice without understanding > your threat model. For example, would simply graying out the option to > export the key suffice? Or do you need to prevent the key from being > extracted even by a determined attacker? (For example, is simply shutting > off Mozilla's export option sufficient even if Mozilla is still capable of > exporting the key?) > > In principle, for Mozilla to prove it is entitled to use the certificate, > it > must perform operations using the private key. Unless the key is stored in > a > hardware token, there is no way to stop it from exporting the very same > private key data it is using to perform those key operations. > > What is your outer problem? Are you trying to prevent against user error? > Are you trying to protect against malicious corruption of the browser by a > determined attacker with access to the local system? > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
