e-mail signing and certificate extensions - Openssl

This is a discussion on e-mail signing and certificate extensions - Openssl ; On Mon, Oct 06, 2008, Arsen Hayrapetyan wrote: > Dear list, > > If I understand correctly, there are two X.509 v3 extensions that determine > key (companion to the given certificate) suitability for e-mail signing: > > 1. extendedKeyUsage ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: e-mail signing and certificate extensions

  1. Re: e-mail signing and certificate extensions

    On Mon, Oct 06, 2008, Arsen Hayrapetyan wrote:

    > Dear list,
    >
    > If I understand correctly, there are two X.509 v3 extensions that determine
    > key (companion to the given certificate) suitability for e-mail signing:
    >
    > 1. extendedKeyUsage (EKU)
    > 2. nsCertType
    >


    nsCertType is obsolete now. It is retained for compatibility but its use is
    discouraged.

    > In particular,
    > 1. Setting only "emailProtection" in EKU
    > or
    > 2. Setting only "email" in nsCertType
    > gives
    > S/MIME signing : Yes
    > when the certificate is checked with "openssl x509 -in cert.pem -noout
    > -purpose"
    >
    > 3. When no EKU or nsCertType extension is present in cert, one gets:
    > S/MIME signing : Yes (why?)
    >


    Because the extension is a restriction on the key. If the extension is absent
    there is no restriction.

    > 4. If, e.g., "emailProtection" is NOT set in EKU and nsCertType is absent,
    > I get
    > S/MIME signing : No
    >
    > Can anyone explain, which combination of these two extensions results in a
    > key suitable for e-mail signing?
    > Do only these two extensions determine the suitability of the key for
    > e-mail signing?
    >


    The key usage digital signature and or the (can of worms) non-repudiation bits
    can restrict the key in general. So if key usage is present and both these
    bist are not set then chain validation for S/MIME signing (and any other
    signing) will fail.

    Steve.
    --
    Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
    OpenSSL project core developer and freelance consultant.
    Homepage: http://www.drh-consultancy.demon.co.uk
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. e-mail signing and certificate extensions

    Dear list,

    If I understand correctly, there are two X.509 v3 extensions that
    determine key (companion to the given certificate) suitability for
    e-mail signing:

    1. extendedKeyUsage (EKU)
    2. nsCertType

    In particular,
    1. Setting only "emailProtection" in EKU
    or
    2. Setting only "email" in nsCertType
    gives
    S/MIME signing : Yes
    when the certificate is checked with "openssl x509 -in cert.pem -noout
    -purpose"

    3. When no EKU or nsCertType extension is present in cert, one gets:
    S/MIME signing : Yes (why?)

    4. If, e.g., "emailProtection" is NOT set in EKU and nsCertType is
    absent, I get
    S/MIME signing : No

    Can anyone explain, which combination of these two extensions results in
    a key suitable for e-mail signing?
    Do only these two extensions determine the suitability of the key for
    e-mail signing?

    Thank you for your answers,
    Arsen.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread