Hi Jan, Nelson Bolyard or others can probably answer this question better, but I believe that the generated key is inserted into the NSS cert/key database and waits to be paired with a certificate. If the certificate doesn't come back, this may explain why you key database file is growing. I don't think that Firefox has some GUI feature to manage those keys. If the certificate comes back, Firefox allows users to export the key and certificate in PKCS#12 format.
The NSS certutil tool (http://www.mozilla.org/projects/security/pki/ nss/tools/certutil.html) traditionally allows a user to manage the certificate and key database files, but I don't know if it can delete "orphan" keys. My understanding is that the <keygen> element is used primarily to enable web-based certificate management systems. As such, the newly generated public key (or a certificate signing request) is included in an HTML form to the web CA, which issues the certificate. The client then uses this certificate to authenticate with servers who support client TLS authentication. While this key (theoretically) could be used to authenticate the user in other ways, AFAIK Firefox does not provide any API to do so. Best Regards, Peter Djalaliev On Jun 1, 9:31 am, "Jan Schejbal" <jan.schejbal_n...@gmx.de> wrote: > I did of course google and I did find the site you linked, but it did > not help me much, as I found no information what has to happen > server-side (or links to such information). I understand that the key > is generated, stored and a SignedPublicKeyAndChallenge POSTed to the > server. I had not recognized that SignedPublicKeyAndChallenge is a > standard format. After I found that out, it seems to be a bit clearer > to me. I assume that the server then may generate a certificate for > that key and send it back to the client. Firefox will then probably > install the certificate as a SSL client cert and allow authentication. > > However, if this does not happen, i.e. for some reason the key gets > generated but the server fails to respond with a certificate, what will > happen with the key? As I already said, I did not find any UI (or any > way at all for that matter) for managing those keys, actually there > seems no way to access or delete those keys at all. Is there? > > Jan > > -- > Please avoid sending mails, use the group instead. > If you really need to send me an e-mail, mention "FROM NG" > in the subject line, otherwise my spam filter will delete your mail. > Sorry for the inconvenience, thank the spammers... -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
