That being said, NSS does not currently filter either of those based on the non-repudiation bit (IIRC). Also, there is a growing suspicion that email should be signed with a 'auth' certificate, since it typically means 'I sent this', not 'I agree to this'. The quickest way to come to that conclusion is to ask yourself "do I really want to supply may pin again each time I try to send an email message"?
If we go down this new path, it would imply that we need a new certUsage for non-repudiation certificates.
bob Anders Rundgren wrote:
Odd that crypto.signtext should check for an email cert when it is not performing email signing or encryption.nsCrypto::SignText explicitly does a CERT_FindUserCertsByUsage(certUsageEmailSigner); is there a better usage bit to use?There's no better usage bit to use, I know this the hard way :-)Although I have not studied the code, the name appears to be in conflict with websigning since such certificates usually has nothing to do with e-mail. The appropriate selection should only check for NR or have I missed something obvious? Maybe it could be extended to support the DS in the case there is no NR cert with the same "ID"? This comparison is a bit ugly but may be needed for PIV. Anders Rundgren _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto