Ondrej Mikle <[email protected]> writes: >It's issued by A-Trust (not A-Data).
Well I had to put something in there to validate the "Any inadvertent mangling of details was my fault" :-). >The Hongkong Post certs lack EKU extension, but 'key usage' does not contain >'digital signature'. That makes them probably unusable for Microsoft's code- >signing scheme, but I don't know about other code-signing implementations. How effectively is that enforced though? CryptoAPI will quite happily allow the use of encryption-only keys (AT_KEYEXCHANGE in CryptoAPI terminology) to be used for signature generation and verification (amusingly, the CryptoAPI workhorse signature-generation function CryptSignHash(), while on the one hand not allowing you to select from among your signature keys the one that you want to use for signing does on the other hand allow you to indicate specifically that you want to use your AT_KEYEXCHANGE encryption key to generate a signature). In the past developers have had considerable problems getting (for example) Windows to stop using a kU digitalSignature-flagged cert for encryption. So just because the kU is set a certain way doesn't mean it won't be used for something completely different. Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
