Patrick wrote: > > This is a repeat (not sure what happened to original): > > I was able to use a cert which has keyEncipherment key usage only (no there > key usages especially *no digitalSignature*) for SSL client > authentication...I thought NSS would not permit this to happen, i.e. the > client needs digitalSignature at least for SSL client usage. > Am I missing something here? Is keyEncipherment good enough for SSL client?? > > -- Patrick
The SSL API places complete responsibility for checking the certificate with the application. libnss provides functions to the application to enable it to choose a suitable certificate and private key, but does not prevent the application from choosing unsuitable ones. To obtain the certificate and private key used in client authentication, the SSL library calls an application-supplied callback function. libSSL uses whatever cert and key the application tells it to use. It is the application's responsibility to select a key and cert that are appropriate. As long as the private key chosen by the application is capable of being used to generate a signature (e.g. is an RSA or DSA private key, and the PKCS#11 key object has the necessary attributes that permit it to be used for those purposes), SSL will use the key for the signature. Likewise, at the server end, libSSL calls an application-supplied callback function to determine if the client's certificate is suitable for authentication purposes. If the callback returns SECSuccess, and if the cert contains a public key that is capable of being used for the purpose of checking the signature, libSSL will use the public key for that purpose. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
