> I don't know what went wrong here.
>
> Wan-Teh
>


Yeah, me neither. As far as the selection of certs goes in the UI, If I
select a cert that has key usage of 'Digital Signature, Non-Repudiation
(c0)' for signing, it prompts me if I would like to also use it for
encryption. Obviously this cert is not meant for encryption. I am given
the prompt: <ok> <cancel>  -- shouldn't it be yes/no? But regardless, I
should never even be offered the choice -- the certificate I selected
does not have key usage of encryption.

Here is another note: If I say yes (even though it makes no sense to be
asked in the first place), then the Key with Digital Signature,
Non-Repudiation (c0) will actually show up as the key for encryption.
This can't be right!

Here is what else we have discovered from testing:
The problem occurs every time there are two different certs. If there is just 1 for signing, the signing goes through.

If there are two, TB will accept both with the above usability caveats, but then when you try to send a signed message it fails. We can reproduce this behavior with file-based certs as well. So this clearly is not a problem with the card or the PKCS11 implementation.

I guess I will have to submit a bug report but that doesn't help us for now.

As for your question about the 3rd cert, it is a policy decision and not a technical one to include the 3rd cert. It can do signing and client authentication. It's meant for getting into doors in a building and such. I can't explain why they thought you should have 3 certs, but they did.

Christian

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to