Yes you are correct.This applies to only non-tech savvy users.They are not going to export the certificate first of all and they are not computer geeks,they are just common computer users.And they wont be having first hand knowledge about exporting the certificate or even wont be knowing what a certificate is.
I just wanted to ensure how much protection I can give thats all.I shall think about PKCS#11 , implementing hardware tokens is beyond the scope of my requirement. I thank everyone for supporting my queries. 2009/7/15 Dr. Stephen Henson <st...@openssl.org> > On Wed, Jul 15, 2009, tito wrote: > > > thank you for replying.. > > > > This is what I can conclude from the inputs i got. > > > > 1. Mozilla has no way to lock/disable the private key export when we > export > > the certificate. > > > > 2. I would have to trust my agents/or write in contract , that he will > not > > use the certificate other than the designated PC where the request for > the > > certificate was done. > > > > If anyone is having any other opinions about it.Please let me know. > Thanks a > > lot. > > > > It seems your threat model is only against a non-tech savvy user. MSIE > unexportable private keys can be exported if you know how and even if you > could enforce greying out of the Mozilla export option the certificate and > key > database files are easily backed up anyway. > > A possibility would be to use a PKCS#11 soft-token which wont export keys. > I'm > not aware of any such thing but it could be done. It would need to encrypt > it's key database in such a way that it would only work on one PC. > > Again a knowledgeable user could easily bypass that and nothing short of a > hardware token would help against that. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
