bk390934 wrote: > > I tried to use a signature-only certificate in Netscape Messenger 7.0. > Essentially all I want to do is send signed e-mails. I don't need to send or > receive encrypted mails. > > Strangely enough NS7 refuses to accept my perfectly valid certificate (X.509 > v3 extension keyUsage=digitalSignature,nonRepudiation) and insists that I > also specify another signature to allow others to send me encrypted mail.
Thanks for reporting this. Perhaps this case isn't tested currently. PSM can and does handle separate signing-only and encryption-only certs. If you have both a signing-only cert and an encryption-only cert with the same subject name, PSM will do the right thing. That gets tested all the time, I believe. The usual reason for that dual cert approach is that the private key for the encryption cert is escrowed, but the private key for the signing cert is not. But in your case, you're using a signing only cert with no corresponding encryption only cert. We probably just haven't tested that. > Why is this? I fail to see the login in forcing someone to encrypt mails if > all he wants is to sign (also, why do they put separate activation check > boxes for sign and encrypt if you're forced to provide encryption certifs > anyway). It sounds like PSM is demanding that you also have a cert for encryption. That may be a policy decision in PSM, or it may be simply a bug. I don't know. PSM does implement a number of policies like that. For example, PSM won't let you send an encrypted email unless you have your own cert for encryption, because PSM wants to ensure that you will be able to read a copy of the mail you sent. PSM's policy is that you must be able to read what you send. There's been some disagreement about whether that's an appropriate policy, but at least it makes _some_ logical sense. I agree that I don't see any point in requiring an encryption cert to send a signed but not encrypted message. > The certificates I tried all work perfecty well in Outlook Express and > Netscape Mail 4.79. > > The private key and corresponding public key + certif were succesfully > imported in NS7 but when I activate the "sign outgoing mail" checkbox I get > this request for an encrypton certificate. > > Why this insistence on an encryption certificate? > > Do they realize that this feature (bug?) excludes Netscape Mail from use > with official national signature-only certificates in some countries? -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
