Zitat von Martijn Brinkers <[email protected]>:
On 01/-10/-28163 08:59 PM, [email protected] wrote:Zitat von Martijn Brinkers <[email protected]>:On 01/-10/-28163 08:59 PM, [email protected] wrote:Hello today i found some certificate in our Djigzo store with key usage = nonRepudiation. I have grabed the matching root CA but this certificate is still marked as invalid so the quetsion is if this is because of the exclusive use of nonRepudiation and what this certificate should be used for anyway??Non-repudiation is a 'strong' form of signing which is normally used for legal electronic signatures. This normally implies that the private key is stored on an approved smart card en that the certificate is issued by some highly trusted issuer. Sometimes, three certificates (and private keys) are issued to one person. An encryption certificate, a signing certificate and a non-repudiation certificate. With three certificates, the signing certificate is typically used only for authentication purposes and the non-repudiation for signing documents. Djigzo does not make a distinction between a signing certificate and a non-repudiation certificate. A certificate with signing and/or non-repudiation key usage is acceptable for signing. The reason why the certificate is invalid in your case is that the certificate can only contains the non-repudiation key usage. The certificate is therefore not valid for encryption. It should be valid for signing if you would possess the private key.Hm, okay so because of the "strong" intended usage the certificate is actually of low usage value because it is "signing-only".Well yes and no :) The user of that certificate probably signed a message with his/her non-repudiation certificate and the sender can therefore not deny having send the message. From you point of view, i.e., the admin of the gateway, yes the certificate is kind of pointless. By default all certificates from messages are extracted and stored in the certificate store. In this case, the certificate could just as well have been skipped if that's what you mean?
Yes and no ;-)The point is that such certificates are lawyer toys. Technical the same as all others but limited by its usage and maybe useful in case of go to court but only if you have a good lawyer... I wonder why someone will pay for such certificates and why the usage for encryption is denied anyway?
Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
