Re: [Djigzo users] Strange Key Usage "nonRepudiation"

Fri, 25 Feb 2011 01:51:49 -0800 

On 01/-10/-28163 08:59 PM, lst_ho...@kwsoft.de wrote:
> Zitat von Martijn Brinkers <mart...@djigzo.com>:
> 
>> On 01/-10/-28163 08:59 PM, lst_ho...@kwsoft.de wrote:
>>> Hello
>>>
>>> today i found some certificate in our Djigzo store with key usage =
>>> nonRepudiation. I have grabed the matching root CA but this certificate
>>> is still marked as invalid so the quetsion is if this is because of the
>>> exclusive use of nonRepudiation and what this certificate should be used
>>> for anyway??
>>
>> Non-repudiation is a 'strong' form of signing which is normally used for
>> legal electronic signatures. This normally implies that the private key
>> is stored on an approved smart card en that the certificate is issued by
>> some highly trusted issuer. Sometimes, three certificates (and private
>> keys) are issued to one person. An encryption certificate, a signing
>> certificate and a non-repudiation certificate. With three certificates,
>> the signing certificate is typically  used only for authentication
>> purposes and the non-repudiation for signing documents.
>>
>> Djigzo does not make a distinction between a signing certificate and a
>> non-repudiation certificate. A certificate with signing and/or
>> non-repudiation key usage is acceptable for signing.
>>
>> The reason why the certificate is invalid in your case is that the
>> certificate can only contains the non-repudiation key usage. The
>> certificate is therefore not valid for encryption. It should be valid
>> for signing if you would possess the private key.
> 
> Hm, okay so because of the "strong" intended usage the certificate is
> actually of low usage value because it is "signing-only".

Well yes and no :)

The user of that certificate probably signed a message with his/her
non-repudiation certificate and the sender can therefore not deny having
send the message.

>From you point of view, i.e., the admin of the gateway, yes the
certificate is kind of pointless. By default all certificates from
messages are extracted and stored in the certificate store. In this
case, the certificate could just as well have been skipped if that's
what you mean?

Kind regards,

Martijn

-- 
Djigzo open source email encryption

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Users mailing list
Users@lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to