by browsing the database certificates i found that some external
recipients have split certificates for "digitalSignature" and
"keyEncipherment", some have additionally "dataEncipherment" and some
have no Usage Key at all. After reading about this Flags the question
arise how Djigzo handles this Flag if at all.
Encryption:
When deciding whether a certificate is valid for S/MIME encryption,
Djigzo checks whether the certificate has the following properties:
If the key usage extension is available, it should contain
"keyEncipherment". If the key usage extension is not specified, the
certificate is considered to be valid for all usages.
If the extended key usage extension is available, it should either
contain "anyKeyUsage" OR "emailProtection". If the extended key usage
extension is not available, the certificate is considered to be valid
for all extended usages.
The key usage and extended key usage must both be valid.
Signing:
When deciding whether a certificate is valid for S/MIME signing, Djigzo
checks whether the certificate has the following properties:
If the key usage extension is available, it should contain
"digitalSignature" OR "nonRepudiation". If the key usage extension is
not specified, the certificate is considered to be valid for all usages.
If the extended key usage extension is available, it should either
contain "anyKeyUsage" or "emailProtection". If the extended key usage
extension is not available, the certificate is considered to be valid
for all extended usages.
The key usage and extended key usage must both be valid.
The "dataEncipherment" key usage is not used very often. It's used when
the private key is used to encrypt other data than a session key. S/MIME
is a two step process. When a message is encrypted, a session key is
generated (for example a AES key). The message is encrypted with the
session key (for example AES encryption). The session key is then
encrypted with the public key. The "keyEncipherment" extension says that
the key can be used to encrypt a session key.
Kind regards,
Martijn
ยทยทยท
--
Djigzo open source email encryption