Angelo Rosenfelder wrote: > I have got a smart card here with 2 certificates on it (it's officially > distributed in switzerland for digital signatures). They both have the > same CKA_Subject, but different CKA_Label. One is for signing only, the > other for non-repudiation only. > When I choose the signing-certificate in Account Settings->Security, > CERT_FindUserCertByUsage() gets called with the right nickname as > argument, but returns a certificate with a different nickname (namely > the non-repudiation certificate). > > Basically, CERT_FindUserCertByUsage() does the following steps: > -Find a cert with the given nickname (finds the correct cert) > -Create a list of certs with the same subject the above found cert has > (as a result, both certs are in the list, since both have the same subject) > -Filter certs with wrong usage from this list (as a result, both certs > remain in the list, since NR implies signing, which is the requested usage) > -Return the first cert in this list (which is the NR-cert) > > So there is no possibility that the requested signing cert is ever > returned, and so I am not able to sign mails with my signing cert. > > As a solution I would propose to filter the list also for the requested > nickname, right after filtering for the usage.
> If this is the right way, I will file a new bug and propose an > implementation of this solution. Here's the problem, Angelo, The international community does not agree on the purposes of signing and NR certs. One view, held by come countries, and the citizens of those countries, is that signing certs are only for short-term temporal signatures, such as SSL client authentication, or other forms of authentication, where the signature generated is not kept for long periods of time, and NR certs are used for signatures that will be kept and may need to be reverified at multiple times in the future, such as in emails. The user from those countries insist that FireFox should choose to use their NR cert (if they have one) for email signature, and only use a signing cert if they have no NR cert. A second view, held in other countries, and by the citizens of those countries, is that NR certs are only for use in certain very specific applications, such as when dealing with their government, and that non-NR signing certs are to be used for all other signature purposes. I gather that you are in this group. Some people complain and say "Of course it should be using my MR cert" and others saying "Of course if should be using my non-NR signing cert" and both users are trying to do the same thing. The good news is that everyone agrees that NR certs should not be used for SSL client auth. The bad news is that they do not agree on the use of NR certs for email signatures. While using CKA_Label as you imagine might seem to be a solution, it really places onto the user the responsibility to know which cert is correct to use in any given situation. NSS's approach is to let the user specify the relevant selection criteria (e.g. what identity, what type of operation, etc) and have NSS choose the right cert from among the candidates that meet the relevant selection criteria. At the present time, NSS's FindUserCertByUsage API uses a set of pre-defined usages, and that set does not draw a distinction between temporal sort term signatures and durable long term signatures. If there is any part of NSS that I would change to try to address your problem, I think it would be making the pre-defined usages more fine grained. Please look for a duplicate bug, either in product "NSS" or in product "core", in any of the Security components, including especially Security:PSM. /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
