Arshad Noor wrote on 2010-01-05: > In the software that I write, Scott, I enforce this. From > experience, I also know that browsers and S/MIME User Agents > (Outlook, Thunderbird) also enforce this.
Those are applications. If they want to enforce it, that's fine, but it doesn't belong in an XML Security library (for example). > While I presume that cryptographic frameworks such as JCE, > CAPI, CNG, etc. also enforce this, I do not make assumptions > about the degree to which they enforce keyUsage bits. The underlying crypto shouldn't be enforcing anything. X.509 is an application construct, not a cryptographic component. It's pointless to make somebody extract the key themselves and hand it to the same code, and that's what they'll do if the certificate doesn't work as a way of getting the key in. -- Scott
