The concept behind this is, that it is said, if one key is compromised, only a part of the whole "system" is affected. If someone compromises your signing-key hi is still unable to decrypt your mails. IPsec for example also has different key material for signing and different key material for encrypting packets. This is a security engineers philosophy. As far I remember this was a criticized point of WEP weaknesses, WEP uses the same cryptographic material for signing and encryption.
I do not think the point behind this is to sell more certificates. If this principle is used, normally both certificates are issued the same time. Kind Regards, Manuel Faux -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Friday, February 25, 2011 11:49 AM To: [email protected] Subject: Re: [Djigzo users] Strange Key Usage "nonRepudiation" Zitat von Manuel Faux <[email protected]>: > Hi, > > Not really related, but maybe it will clarify the point: > In Austria for example it is law, that a signed document is equally > trustworthy like a hand-signed document, if the signature was created > by an qualified-certificate (in short, a certificate on a SmartCard, > which was signed by the Austrian government). If I sign a contract > with my SmartCard, the signature itself cannot be disputed by any > layer. The same will maybe happen in germany too. But the question is why the certificates are limited to signing? Is there any security drawback in allowing encryption? For me it only looks like the opportunity to sell *two* certificates to the same person. Regards Andreas _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
