Closed Bug 360425 Opened 18 years ago Closed 6 months ago

support single-usage keys

Categories

(NSS :: Libraries, enhancement, P5)

Product:
NSS
Component:
Libraries
Version:
3.11.3
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED INACTIVE

People

(Reporter: nelson, Unassigned)

References

Details

(Whiteboard: FIPS) 

NIST has proposed to require that any public or private key be usable 
only for signing, or only for encryption (e.g. key wrapping, key transport), 
but not for both.  

This would be a requirement of a future revision of FIPS 140.

Our PKCS#11 module has the ability to create such single-usage keys,
and to record that keys are single usage (I think), but many of NSS's
APIs for requesting keys have no ability to request this single usage.

AFAIK, we have no way to request the generation of a key pair where the 
generated keys will be usable only for signature and not for encryption,
or vice versa.  It is also not clear that we have any way to ensure that
a certificate request for a single usage key will request a cert whose
extensions identify it as valid only for that single usage.  

This strikes me as a bigger enhancement than the enhancement for 
single-usage certs in libSSL.  It affects tools also.
Bug 360600 is one manifestation of this issue
Depends on: 360600
Blocks: FIPS2008
Whiteboard: FIPS
removed from FIPS2009. will consider for future release.
No longer blocks: FIPS2008
Severity: normal → S3
Severity: S3 → N/A
Status: NEW → RESOLVED
Closed: 6 months ago
Priority: -- → P5
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.