b) the "Object signing" OID. This is imilar to the newer standard "Code signing" OID, but it has more stringent requirements. Certain downloaded code "objects" (such as java jar files) would execute in Netscape Communicator 4.x with special privileges if they were signed with a valid certificate with that had the extended key usage OID in it. Unlike the new standard "Code Signing" OID, the Object Signing OID had to be present in the EE cert and also in all the intermediate CA certs in the chain in order to be valid for Object signing.
However, AFAIK, the "object signing" feature was not carried over into later generation browsers (after Communicator 4.x). So, it's probably not too important any more.
I have been told that mozilla does use this OID, but in fewer places than did C4.x, so perhaps this OID is still relevant.
Jean-Marc Desperrier wrote:
In my tests, Communicator 4.x did not enforce the restriction you describe in all case.
If the intermediate/root CA certs had no netscape cert type extension at all, it was possible to enable then for "object signing" without problems, despite a description implying they were required to explicitly have it.
Very interesting. That would be a pretty serious flaw, and would (I think) weaken the relative strength of the "Object Signing" OID (as compared to the Code Signing OID).
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
