Peter Djalaliev wrote: > Nelson Bolyard wrote: > >> You generated the key pair on a PC that didn't have the TPM chip. >> So the private key couldn't have been generated in the TPM chip, >> and when you generated it, mozilla (FF/TB/SM) didn't ask you which >> device you wanted to use to generate the keypair because, on that >> machine, there was no choice to be made. > > Well, I don't quite understand this, but I think it depends on the way > that the HP developers of the PKCS#11 module implemented this.
Dave told us there were two PCs involved, a desktop PC (of unknown brand and capabilities), and a notebook PC (the HP with the TPM). I presume that the desktop PC did not have a TPM, or certainly not THE TPM on his notebook. He told us that he went through the process of generating the Certificate Signing Request (which generates the key pairs) on the desktop PC. When you generate a CSR/key-pair with mozilla clients, if you have two or more PKCS#11 slots that are capable of doing it, mozilla will ask you which to use (IIRC). If you only have one, then mozilla doesn't ask. Dave didn't report that he was asked, and I think this is because the desktop PC had only one PKCS#11 module, that being mozilla's own "softoken". > In general, the TPM can generate keys. Some of them, the root keys never > ever leave the the TPM - this is partially how trust is achieved. I'd expect the private and secret ones do not, and the public ones do. Otherwise, they're not very useful. :) > Other keys can be created by the TPM and can be migratable and > non-migratable. Yet a third kind of keys can be generated externally, > bu t be protected by the TPM (i.e. by one of the keys stored in the > TPM). In this case, the TPM creates a wrapping key and uses it to > protect the user key. Apparently, Dave's key is of this third kind > since his private key was generated by his CA. I didn't read anything that suggested that he didn't generate his own private keys. A week after applying for his certificate, he download the certificate onto the same desktop box where he had generated the CSR, which combined the cert and private key in the same mozilla softoken module. Then he "exported" the cert and private key into a PKCS#12 file, which he then imported onto the notebook. That's how I read the description. Dave, if I misunderstood, please jump in here. :) > Now, how these keys and the corresponding certificates would be made > available in the PLCS#11 module, seems to be up to the module > implementation... Agreed. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
