In the software that I write, Scott, I enforce this. From
experience, I also know that browsers and S/MIME User Agents
(Outlook, Thunderbird) also enforce this.
While I presume that cryptographic frameworks such as JCE,
CAPI, CNG, etc. also enforce this, I do not make assumptions
about the degree to which they enforce keyUsage bits. It
ensures that I don't get surprised later on. I presume the
developers of the applications I've listed above follow the
same rule.
Arshad Noor
StrongAuth, Inc.
Scott Cantor wrote:
Arshad Noor wrote on 2010-01-05:
Not with well-behaved software that conform to PKIX standards.
Signing keys are meant to only sign objects, while "Exchange"
keys are meant for encryption/decryption. That is the reason
why decryption works with the first, but not with the second.
Out of curiosity, what layer of software is enforcing this? It certainly
shouldn't be the core encryption/decryption code.
-- Scott
