Security Policy: Difference between revisions

The NSS cryptographic module uses '''role-based authentication''' to control access to the module. To perform sensitive services using the cryptographic module, an operator must explicitly request to assume the NSS User role by logging into the module, and perform an authentication procedure using information unique to that operator (individual password). The password is initialized by the crypto officer as part of module initialization. Role-based authentication is used to safeguard a user's '''private key''' information. However, Discretionary Access Control (DAC) is used to safeguard all other NSS User information (e.g., the public key certificate database).

Authentication shall always be required upon initializing the NSS cryptographic module in the FIPS mode. If a PKCS #11 function that requires authentication is called before the NSS User is authenticated, it returns the <code>CKR_USER_NOT_LOGGED_IN</code> error code. Call the PKCS #11 function <code>FC_Login</code> to provide the required authentication.