> by browsing the database certificates i found that some external > recipients have split certificates for "digitalSignature" and > "keyEncipherment", some have additionally "dataEncipherment" and some > have no Usage Key at all. After reading about this Flags the question > arise how Djigzo handles this Flag if at all.
Encryption: When deciding whether a certificate is valid for S/MIME encryption, Djigzo checks whether the certificate has the following properties: If the key usage extension is available, it should contain "keyEncipherment". If the key usage extension is not specified, the certificate is considered to be valid for all usages. If the extended key usage extension is available, it should either contain "anyKeyUsage" OR "emailProtection". If the extended key usage extension is not available, the certificate is considered to be valid for all extended usages. The key usage and extended key usage must both be valid. Signing: When deciding whether a certificate is valid for S/MIME signing, Djigzo checks whether the certificate has the following properties: If the key usage extension is available, it should contain "digitalSignature" OR "nonRepudiation". If the key usage extension is not specified, the certificate is considered to be valid for all usages. If the extended key usage extension is available, it should either contain "anyKeyUsage" or "emailProtection". If the extended key usage extension is not available, the certificate is considered to be valid for all extended usages. The key usage and extended key usage must both be valid. The "dataEncipherment" key usage is not used very often. It's used when the private key is used to encrypt other data than a session key. S/MIME is a two step process. When a message is encrypted, a session key is generated (for example a AES key). The message is encrypted with the session key (for example AES encryption). The session key is then encrypted with the public key. The "keyEncipherment" extension says that the key can be used to encrypt a session key. Kind regards, Martijn -- Djigzo open source email encryption _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
