Martin Paljak wrote: > As the nonrep only certificate does NOT have a SSL client certificate > usage bit it must not be chosen automatically for ssl client > authentication.
I looked at your certs. Your non-repudiation certificate does not have an "extended key usage" (EKU) extension at all. When an EKU extension is present, the cert may only be used for the usages listed there; but when NO EKU extension is present, the cert is valid for ALL usages, subject to the limitations of the key usage and basic constraint extensions. So, since your NR cert has no EKU extension, we have no reason to believe that it is not usable for SSL client auth. It is not a CA cert, so cannot be used to sign certs. It has a key usage that excludes use for any sort of encryption. But it allows NR, which is a type of signature. And signature is the key usage required for client auth. So, we conclude that this cert can be used for ANY signature application whatsoever. (Some signature applications require NR, but AFAIK, none forbid NR.) If you want your NR cert to be unusable for SSL client auth, then you need an EKU extension that doesn't include that usage. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
