Re: Netscape Extension
Kiyoshi Watanabe wrote: Dear all, Let me ask that if I omit to specify the nsCertType extension, the certificate can be used for keyEncippherment even I specify the digitalSignature only in keyUsage? Does anyone knows that Netscape recognizes the keyUsage bit and limits the usage of the certificate? Yes Netscape does recognise the extension up to a point. If nsCertType is omitted the certificate can be used for any of the nsCertType uses *except* object signing. However this may conflict with other uses, for example you shouldn't be able to use a certificate for client authentication if keyUsage is present and digitalSignature isn't set. I haven't personally done any exhaustive test of what it does enforce. Some documentation about the behaviour is at: http://home.netscape.com/eng/security/comm4-cert-exts.html There is an inconsistency here though. An SSL/TLS server certificate if it includes keyUsage must have keyEncipherment set otherwise an error occurs when attemtping to connect to the server. However an SSL/TLS server certificate may be used for both signing and key encipherment depending on the cipher suite. Netscape will not reject an SSL/TLS server certificate if it is used for signing in a cipher suite even if keyUsage is present and digitalSignature is not set. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Netscape Extension
Dear all, Let me ask that if I omit to specify the nsCertType extension, the certificate can be used for keyEncippherment even I specify the digitalSignature only in keyUsage? Does anyone knows that Netscape recognizes the keyUsage bit and limits the usage of the certificate? Regards, Kiyoshi, Kiyoshi WATANANBE Hitachi, Ltd. ---openssl.cnf-- # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # # # For an object signing certificate this would be used. # nsCertType = objsign # # For normal client use this is typical # nsCertType = client, email # # and for everything including object signing: # nsCertType = client, email, objsign #nsCertType = client #nsCertType = email #nsCertType = objsign #nsCertType = client, email # This is typical in keyUsage for a client certificate. keyUsage = nonRepudiation, digitalSignature, keyEncipherment __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]