FIPS 140-1 as a standard permits you to output private keys in plaintext for levels 1 and 2.
For levels 3 and 4, you can still output the private key, but it must encrypted or split.
-----Original Message-----
From: Mitchell Arnone [mailto:marnone@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, November 27, 2001 5:48 PM
To: RAGHAVENDRAN H. (SSG) - CTD, Chennai.; ietf-pkix@xxxxxxx
Subject: Re: A PKI Question: PKCS11-> PKCS12
It depends on the Smart Card in use. Most Smart Cards that meet standards
like FIPS 140-1 Level 2 will not let you export the private key ever. This
is necessary to support non-repudiation. It makes total sense.
Mitch
At 11:17 AM 11/27/2001, RAGHAVENDRAN H. (SSG) - CTD, Chennai. wrote:
>Hi List:
>
>Sorry this may be off the list, but I thought this is the best "PKI" place
>to ask this question :-)
>
>Myself and my friend had an discussion in which he says that when I put a
>private key/certificate pair into a smart card device (such as GPK 4000), it
>is impossible to read the information and create a PKCS12 file (disk based)
>out of it.
>
>I find it mighty strange. For example, I might want to swap my
>certificate/key pair from one smart card to another and I might want to do
>it via the PKCS12 format.
>
>Can anybody say whether this is possible or not?
>
>Some of my friends say that it "may be" possible to export only the
>Certificate and not the private key associated with it. I don't see sense
>any of this argument.
>
>In fact, what is the point in jailing the private key for life in a single
>smart card? This argument is totally contrary to logical thinking.
>
>Pls. guys, I'd be grateful if you could answer this question.
>
>Regards,
>Raghav
***********************************************************
Mitchell Arnone
Senior Consultant
Technical Consulting Practice, Northeast Region
Schlumberger Network Solutions
marnone@xxxxxxxxxxxxxxxxxxxxxx
www.slb.com/nws
35 Waterview Blvd.
Suite 210
Parsippany, NJ 07054-1200
USA
Phone +1 410-579-8691
Mobile +1 443-838-9373