Hi again Bob, (saw you at the NIST PKI Workshop last week) >The assumption in NSS in the past has been that certUsageEmailSigner >implied non-repudiation, while certUsageSSLClientAuth did not.
I believe this is perfectly OK. It was just the name that caught my attention. It sounds like it looks for other things than just the non-rep stuff. >That being said, NSS does not currently filter either of those based on >the non-repudiation bit (IIRC). Also, there is a growing suspicion that >email should be signed with a 'auth' certificate, since it typically >means 'I sent this', not 'I agree to this'. The quickest way to come to >that conclusion is to ask yourself "do I really want to supply may pin >again each time I try to send an email message"? To my knowledge, CAs either issue separate NR and Auth certs or combined NR+auth certs. Some of course issue certs that can be used for "everything". It seems that the current filtering should work in all of these cases and only return a single certificate with NR on. >If we go down this new path, it would imply that we need a new certUsage >for non-repudiation certificates. I don't think we need to do that. There seems to be just a local bug in signText. To support CAs that do not set the NR bit in any cert is not particularly important. If this is a requirement we end-up with a rather hard algorithm where certficate contents have to compared as well. I would not follow such a path as there are too many bumps and holes to cater for. Although I personally don't think that there are any legal differences between NR and not NR, the bit is at least useful for key selection! Anders ----- Original Message ----- From: "Bob Relyea" <[EMAIL PROTECTED]> To: "Mozilla Crypto" <dev-tech-crypto@lists.mozilla.org> Sent: Monday, April 10, 2006 23:08 Subject: Re: certificate requirements for crypto.signText _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto