Nelson Bolyard wrote: > You generated the key pair on a PC that didn't have the TPM chip. > So the private key couldn't have been generated in the TPM chip, > and when you generated it, mozilla (FF/TB/SM) didn't ask you which > device you wanted to use to generate the keypair because, on that > machine, there was no choice to be made.
Well, I don't quite understand this, but I think it depends on the way that the HP developers of the PKCS#11 module implemented this. In general, the TPM can generate keys. Some of them, the root keys never ever leave the the TPM - this is partially how trust is achieved. Other keys can be created by the TPM and can be migratable and non-migratable. Yet a third kind of keys can be generated externally, bu t be protected by the TPM (i.e. by one of the keys stored in the TPM). In this case, the TPM creates a wrapping key and uses it to protect the user key. Apparently, Dave's key is of this third kind since his private key was generated by his CA. Protecting the key in the TPM can get even fancier - a key can be tied to a values of one or more of the PCR registers in the TPM, i.e. the key can be used only when the PCR values it is bound to match. However, I suspect this isn't the case with the HP PKCS#11 module... Now, how these keys and the corresponding certificates would be made available in the PLCS#11 module, seems to be up to the module implementation... As Wan-Teh, I also wish I had one of these HP-s with the TPM and the fingerprint reader... I am using the TPMs shipped with some of IBM/Lenovo's ThinkPads. We are working under Linux and we use the TPM open-source driver and library developed by IBM. This library provides a lower-level API, the HP module is probably using something similar. A question unrelated to NSS, but related to this thread: does anybody know how Windows provides access to the TPM? The work we do under Linux restricts access to the device. In general, I think access to the TPM shouldn't be given to any application (at least not yet) because the TPM-enabled functionality can be abused - i.e. to lock document contents to a particular application, etc. Regards, Peter _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
