Kiyoshi Watanabe wrote:
>
> Dear all,
>
> Let me ask that if I omit to specify the nsCertType extension,
> the certificate can be used for keyEncippherment even I specify
> the digitalSignature only in keyUsage?
>
> Does anyone knows that Netscape recognizes the keyUsage bit and limits
> the usage of the certificate?
>
Yes Netscape does recognise the extension up to a point. If nsCertType
is omitted the certificate can be used for any of the nsCertType uses
*except* object signing. However this may conflict with other uses, for
example you shouldn't be able to use a certificate for client
authentication if keyUsage is present and digitalSignature isn't set. I
haven't personally done any exhaustive test of what it does enforce.
Some documentation about the behaviour is at:
http://home.netscape.com/eng/security/comm4-cert-exts.html
There is an inconsistency here though. An SSL/TLS server certificate if
it includes keyUsage must have keyEncipherment set otherwise an error
occurs when attemtping to connect to the server. However an SSL/TLS
server certificate may be used for both signing and key encipherment
depending on the cipher suite. Netscape will not reject an SSL/TLS
server certificate if it is used for signing in a cipher suite even if
keyUsage is present and digitalSignature is not set.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
