Enzo,
Many applications that employ certs ignore key usage restrictions. This
isn't your fault or the fault of the CA. It simply reflects a 'broken'
implementation. IANAL, but I fail to see how you or your customers could be
held responsible for applications that use certs in ways other than the cert
was intended to be used by the issuer.
--Lucky Green <[EMAIL PROTECTED]>
"Anytime you decrypt: that's against the law".
Jack Valenti, President, Motion Picture Association of America in
a sworn deposition, 2000-06-06
> -----Original Message-----
> From: owner-c [mailto:[EMAIL PROTECTED]]On
> Behalf Of Enzo Michelangeli
> Sent: Monday, August 14, 2000 20:03
> To: [EMAIL PROTECTED]
> Subject: Using signature-only certs to authenticate key exchanges
>
>
> If I use a signature-only cert to authenticate a D-H key exchange
> (e.g., in
> IPSEC, or SSL with ephemeral DH ciphersuites) am I in violation of any
> licensing condition and/or, when applicable, export regulation? I'm asking
> because MS seems to suggest that for Win2K's IPSEC stack a signature-only
> cert would suffice:
>
> http://www.microsoft.com/WINDOWS2000/library/planning/security/ips
> ecsteps.as
> p
>
> [...]
> Here are the requirements for the certificate to be used for IPSec:
>
> Certificate stored in computer account (machine store)
> Certificate contains an RSA public key that has a corresponding
> private key
> that can be used for RSA signatures.
> Used within certificate validity period
> The root certificate authority is trusted
> A valid certificate authority chain can be constructed by the CAPI module
> [...]
>
> Cheers --
>
> Enzo
>
>
>
>
