tags:

views:

636

answers:

3
Q: 

X509 Certificates, DigitalSignature vs NonRepudiation (C#)

We have been handed a set of test sertificates on smart cards for developing a solution that requires XML messages to be signed using PKI. Each (physical) smart card seems to have two certificates stored on it. I import them into the Windows certificate store using software supplied by the smart card provider, and then use code resembling the following to iterate over the installed certificates:

foreach (X509Certificate2 x509 in CertStore.Certificates) {
  foreach (X509Extension extension in x509.Extensions) {
     if (extension.Oid.Value == "one we are interested in") {
        X509KeyUsageExtension ext = (X509KeyUsageExtension)extension;
        if ((ext.KeyUsages & X509KeyUsageFlags.DigitalSignature) != X509KeyUsageFlags.None) {
            // process certs here

We have been told to use the certificates that have the NonRepudiation key usage flag set to sign the XMLs. However, the certificate that has the NonRepudiation flag has this flag only, and not for instance the DigitalSignature flag which I check for above. Does this strike anyone but me as slightly odd? I am in other words told to sign with a certificate that does not (appear to) have the DigitalSignature usage flag set. Is this normal procedure? Any comments?

Thanks.

+1  A: 

What key use does it have? You're right, this is a little odd, however if, for example, the key was used to provide AD logins then it may not have the flags set for DigitalSignature use. That's not to say you can't use it for that, it just indicates that the certificate issuer provides no guarantee when you go outside the key's indicated usage.

blowdart  2009-12-21 09:51:41
The one with the NonRepudiation flag set has *only* that flag, and this is what occurs as odd to me (given that I'm explicitly told to use that one for signing), however, I'm far from an expert in this field so I thought it best to ask around :)
Eyvind  2009-12-21 10:04:39
By the way; these certificates are generated specifically for this purpose, and are not intended for AD logins etc.
Eyvind  2009-12-21 10:05:33
Well that is a little weird, it ought to have both, but that depends on the policy of the issuer. The flags really are indicators of use, but it's up to you to decide if you should approve or reject certificates based upon them
blowdart  2009-12-21 10:24:53
A: 

As I read RFC 5280 (4.2.1.3), nonRepudiation is a superset of digitalSignature. In other words it grants all the abilities of digitalSignature and then some. So technically, what they are asking for is valid, though perhaps unusual.

Von  2010-01-10 16:49:02
+1  A: 

If you want to provide a non-repudiation service, i.e. you want signatures have a LEGAL value, then you are supposed to use nonRepudiation only. Indeed, this is RECOMMENDED by standards (see ETSI TS 102 280) since the usage of other keyUsage bits together with nonRepudation may have security issues.

G.P.  2010-06-10 14:19:25
Thanks for clearing that up, and for getting back to this question after such a long time :) +1
Eyvind  2010-06-11 06:22:30

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?