Samuel Liddicott wrote:
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Kaur Virunurm
> > Sent: Thursday, September 23, 1999 09:10 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: signed and certified but not for email
> >
>
> > Won't the certificate usage in IE also depend on the KEY properties?
> >
> > xenroll control has KeySpec property that you can specity
> > before CreatePKCS10():
> > xenroll.KeySpec = 1 ' AT_KEYEXCHANGE
> > xenroll.KeySpec = 2 ' AT_SIGNATURE
>
> I use:
> Enroll.KeySpec = 1
> Enroll.GenKeyFlags = 3
> document.data.reqEntry.value = Enroll.CreatePKCS10(DNName,
> "1.3.14.3.2.29")
>
> I see that AT_SIGNATURE is used for signing messages and often has a large
> key size even under export versions of IE.
>
> Is AT_KEYEXCHANGE used for encrypting email messages? I would like to use
> an escrowable key for encyption (so we can recover employees work-related
> messages) but don't particularly want to have the ability to impersonate
> employees.
>
AT_SIGNATURE as you say is a signature only key which can be used with
large keys in all versions of the software.
AT_KEYEXCHANGE is not well named. It can be used for signatures as well
as key exchange. It does have the 512 bit export restriction unless you
install the 128bit patch.
Due to a bug in IE4 AT_SIGNATURE keys don't appear in the list of
certificates even though they could be used for SSL authentication. IE5
fixes this.
You can use different certificate extensions to enforce restrictions on
certificate usage. If you want to use a certificate for signing only
then:
keyUsage=digitalSignature
will do. For key exchange only:
keyUsage=keyEncipherment
should do the trick.
Now Netscape handles things in a different way: to allow different
signing and encryption certificates the same subject name is needed.
Some of the OpenSSL utilities don't allow this.
I'm not sure how Netscape and MS stuff handle different signing and
encryption certificates at an S/MIME level or if they interop. The
correct way is to include an S/MIME attribute in the signed message
pointing to the encryption certificate: but this is a relatively new
standard so they may do something else.
So if you try this then I'd be interested in any success you have and
any copies of signed mail that manages to be interpreted properly so I
can analyse what it does.
> > As I understand, this should change allowable key usages and might
> > give the effects that you see? Just a guess - but play with this
> > property and see if it has any effects.
>
> I played with this severely last year and the settings I have worked then.
> As per another message here it seems that maybe IE is getting the wrong
> idea.
>
> Perhaps I could export the certificate and get someone to look at it and see
> what it is really set as, so we can see what is lying.
>
You can use the x509 utility to print out all the extensions and the
pkcs12 utility to print out the key type to see what types it has.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
