Hi, Not really related, but maybe it will clarify the point: In Austria for example it is law, that a signed document is equally trustworthy like a hand-signed document, if the signature was created by an qualified-certificate (in short, a certificate on a SmartCard, which was signed by the Austrian government). If I sign a contract with my SmartCard, the signature itself cannot be disputed by any layer.
Kind Regard, Manuel Faux -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Friday, February 25, 2011 10:59 AM To: [email protected] Subject: Re: [Djigzo users] Strange Key Usage "nonRepudiation" Zitat von Martijn Brinkers <[email protected]>: > On 01/-10/-28163 08:59 PM, [email protected] wrote: >> Zitat von Martijn Brinkers <[email protected]>: >> >>> On 01/-10/-28163 08:59 PM, [email protected] wrote: >>>> Hello >>>> >>>> today i found some certificate in our Djigzo store with key usage = >>>> nonRepudiation. I have grabed the matching root CA but this >>>> certificate is still marked as invalid so the quetsion is if this >>>> is because of the exclusive use of nonRepudiation and what this >>>> certificate should be used for anyway?? >>> >>> Non-repudiation is a 'strong' form of signing which is normally used >>> for legal electronic signatures. This normally implies that the >>> private key is stored on an approved smart card en that the >>> certificate is issued by some highly trusted issuer. Sometimes, >>> three certificates (and private >>> keys) are issued to one person. An encryption certificate, a signing >>> certificate and a non-repudiation certificate. With three >>> certificates, the signing certificate is typically used only for >>> authentication purposes and the non-repudiation for signing documents. >>> >>> Djigzo does not make a distinction between a signing certificate and >>> a non-repudiation certificate. A certificate with signing and/or >>> non-repudiation key usage is acceptable for signing. >>> >>> The reason why the certificate is invalid in your case is that the >>> certificate can only contains the non-repudiation key usage. The >>> certificate is therefore not valid for encryption. It should be >>> valid for signing if you would possess the private key. >> >> Hm, okay so because of the "strong" intended usage the certificate is >> actually of low usage value because it is "signing-only". > > Well yes and no :) > > The user of that certificate probably signed a message with his/her > non-repudiation certificate and the sender can therefore not deny > having send the message. > > From you point of view, i.e., the admin of the gateway, yes the > certificate is kind of pointless. By default all certificates from > messages are extracted and stored in the certificate store. In this > case, the certificate could just as well have been skipped if that's > what you mean? Yes and no ;-) The point is that such certificates are lawyer toys. Technical the same as all others but limited by its usage and maybe useful in case of go to court but only if you have a good lawyer... I wonder why someone will pay for such certificates and why the usage for encryption is denied anyway? Regards Andreas _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
