D3|\||\|!$ wrote, On 2007-12-08 03:55: [CRL question snipped. Kyle answered it.]
> 2) Consider the web page given below: > http://docs.sun.com/source/816-5533-10/ext.htm#1012064 > > It forewarns us to set the nonRepudiation (1) bit only after carefully > considering their legal consequences. Since I'm not acquainted with > the use of this bit vey well, I cannot figure what exactly could be > the consequenses of setting this bit in a certificate. Could anybody > kindly give me a real-life example of what could possibly happen with > this bit set? I fully understand the meaning of "Non-Repudiation" but > can't figure out the legal aspect of its presence... The meaning of this bit varies by country and by CA. In some European countries, anything signed with a "qualified" NR cert issued by any of the CAs recognized by that country's government, is fully legally binding. So a user with such a cert wants to be very careful that no software can ever get him to sign undisclosed content, lest it be something like "I hereby give all my lands, properties and possessions to <attacker>." Some countries with this view specify that NR certs can only be used for certain documents, or only with certain restricted software, and must not be used for (say) signing emails. Other countries take different views, however. Another view is that NR certs are to be used for long-term signatures, such as signatures on contracts or emails, and not for short-term signatures such as used for user identification to a remote computer. Some CAs issue 3 signing certs, one for authentication, one for signing emails and other long term but not legally binding documents, and NR certs for special use. Most CAs that issue NR certs want to know that the private key for such a cert is stored on some kind of "smart card" or other tamper resistant physical device that the user will protect with somewhat more care than he would protect his PC. The lack of uniform expectations for the purposes of NR certs has led to a lot of unhappiness with the way that FF handles them. Any decision FF makes will make some set of NR cert users unhappy. The first bug that was ever filed regarding NR certs complained the FF would NOT allow NR certs to be used for signatures on certain documents. We changed that, and since then, we've had many more complaints that FF DOES allow NR certs to be used for that purpose. My advice is to avoid NR certs except in PRIVATE PKIs. A closed PKI system can define them any way it wants to. For the general public, we should avoid them, unless and until the meaning of NR certs can be unified. > 3) While using the certutil tool, how do we set the various bits of the > netscape-cert-type extension for a self-signed CA certificate?? The Netscape cert type extension is non-standard and is deprecated. It has been entirely superseded by the standard Extended Key Usage (EKU) extension, IINM. So, my advice: don't plan to put that type of extension in new certs. /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
