Jean-Marc Desperrier wrote: >The trouble is that certUsageEmailSigner in it's current implementation >does indeed look for other things than non-repudiation. It checks that >the certificate is valid to sign mail, ie if it has an Extended key >usage it must include id-kp-emailProtection and the presence or not of >an email address interferes also. So some certificate that are perfectly >valid to sign data do not get certUsageEmailSigner
Thank you for pointing out this. I suspected that there was something not so pleasant deep down in there... I have put a similar question to the PKIX list as I'm stuck even with getting the text right in the on-line signature standards effort I'm working on. I would not be surprised if I end-up with some kind of option in order to deal with this mess. When the EU sign directive was written few anticipated that you could get convicted by using unsigned mail. That is, the NR versus DS stuff have no real-world legal implications, but unfortunately they have major "side effects" such as screwing up cert selection algorithms. :-( Some CAs apparently do never set NR which I do not interprete as "useless for signing" but rather indicates that we do not really know what NR means. Other, like PIV seems to require three certificates where only one has NR. Anders Rundgren _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
