Hi Bob, thanks for all your help by the way, got me much further so far. Robert Relyea wrote: > You really only want to store and retrieve the private keys if you you > need to transport them (or back them up). Doing the latter needs to be > handled carefully, and can be a source of errors in your protocol.
This is fine for my uses I think. So long as the private key is somewhere safe that is backupable (the nss certificate database is fine by me) then thats all good. > A better way to handle it (if you absolutely must use bare keys), is > store your private keys as persistant keys. You can use the KeyID and > the slot the key is stored in to find the key again (PK11_FindKeyByID to > find it PK11_GetLowLevelKeyIDForPrivatekey() to get the KeyID). I'm not totally sure I follow you. Let me just quickyl explain what I am wanting to present to the user. They should pretty much not have to worry about certificates or anything like that. All that matters is that they can create a public/private key pair and that my app can show them a list of what key pairs they have created before and then use them. I have this pretty much working but I think I've slightly hacked it. What I've done is assigned a nickname to the private key when it's created. That seems nice until I come to retrieve the key, it seems there isnt a way to retrieve a key by nickname instead I just have to enumerate all keys till I find the one with the nickname. This isn't so bad, there shouldn't be many keys but maybe I'm going about this the wrong way? > Usually NSS uses the certificate. There are functions to help you find > the most appropriate certificate, and then from that certificate find > the private key that is associated with it. I probably have the wrong view of certificates, but my understanding is that they have all sorts of other associated data about then, CN etc and more crucially expiries. Is this right or am I wrong? In which case I'd happily switch over to certificates if that helps me achieve my above goal. One other final thing I'm stumbling over is key and hash types. I recognise the names RSA and DSA but is there a particular advantage of using one over the other? And likewise when I'm signing my data should I hash it using MD5, SHA-1 or any of the other SHAs. I think I read somewhere that RSA keys should be used with MD5 hashes and DSA with SHA-1, is this right? Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
