On Thu, Aug 29, 2002, Jason Haar wrote: > I'm trying to build an internal PKI, and have found that the effort I > went through to stop people using SSL client certs for SMIME appear to have > been in vain... > > Outlook Professional appears to ignore the nsCert setting, as when you view > the cert details it says that the cert allows basically everything: > smime,object signing,file recovery,etc. > > The signed cert indeed has a X509v3 extensions of "SSL Client" under > "Netscape Cert Type:", but IE ignores that? > > What is the equivalent for IE? >
The Netscape Cert Type is an old non standard extension which some software ignores. The standard way to do this stuff is with extended key usage and the appropriate usage, clientAuth in this case. Check doc/openssl.txt for more info. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
