RE: A PKI Question: PKCS11-> PKCS12

[lynn.wheeler@xxxxxxxxxxxxx]

note that bank vaults and armored trucks have things put into and taken out
of them all the time ... and they are still considered secure.

in the scenario of digital signature & public key for authentication, it is
possible that there is a  business requirement for non-divulging/exporting
the private key.

however, in the scenario of hardware tokens protecting private key(s)
involved in secrecy/privacy encryption there can be significant reasons for
having private key replication ... especially if very valuable corporate
assets are involved.

hardware tokens can be secure .... whether they implement private key
exporting or not. In the business process of authentication there can be
higher confidence that with a non-export private key policy there is
improved non-repudiation. However, that shouldn't negate the fact that
similar secure hardware tokens can't be used to protect private keys that
have been replicated for various business purposes (that don't involve
things like non-repudiation).

There can be some confusion when identical technology is being used for
totally different and distinct business purposes .... where the associated
business requirements for the different business processes can place
different requirements on the technology.




<RCulshaw@xxxxxxxxxxxx> on 11/27/2001 4:27 PM wrote:



HI there,

I have tested numerous different smart cards/USB tokens and software
combinations and have not seen one that offers a p12 export facility. The
Purpose of having a smart card is to be able to securely store the Private
key, if it can be exported from the smart card/token then it isn't really
secure.

Richard Culshaw