If I use a signature-only cert to authenticate a D-H key exchange (e.g., in
IPSEC, or SSL with ephemeral DH ciphersuites) am I in violation of any
licensing condition and/or, when applicable, export regulation? I'm asking
because MS seems to suggest that for Win2K's IPSEC stack a signature-only
cert would suffice:
http://www.microsoft.com/WINDOWS2000/library/planning/security/ipsecsteps.as
p
[...]
Here are the requirements for the certificate to be used for IPSec:
Certificate stored in computer account (machine store)
Certificate contains an RSA public key that has a corresponding private key
that can be used for RSA signatures.
Used within certificate validity period
The root certificate authority is trusted
A valid certificate authority chain can be constructed by the CAPI module
[...]
Cheers --
Enzo
