On 01/-10/-28163 08:59 PM, [email protected] wrote: > Hello > > we have our Djigzo gateway configured to encrypt all outgoing mail if a > matching certificate is found by setting "Encrypt Mode = Allow". Today i > discovered a mail which was not encrypted but a valid certificate is > available. > I suspekt it is because the odd keyUsage setting in the certificate. It > contains "digitalSignature" as only keyUsage, but "emailProtection" as > Extended Key Usage. Have i got it right that all certificates which do > not contain "keyEncipherment" as keyUsage or have empty keyUsage are not > used for encryption by automatical selection?
A certificate is only valid for S/MIME encryption if one of the following conditions is true: 1 the KeyUsage is not set and the extended key usage is not set, the certificate can be used for encryption 2 the KeyUsage is not set and the extended key usage is set and contains emailProtection, the certificate can be used for encryption 3 the KeyUsage is set and contains keyEncipherment and the extended key usage is not set, the certificate can be used for encryption 4 the KeyUsage is set and contains keyEncipherment and the extended key usage is set and contains emailProtection, the certificate can be used for encryption Kind regards, Martijn Brinkers -- Djigzo open source email encryption
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
smime.p7s
Description: S/MIME Cryptographic Signature
