views:

52

answers:

1

X509 certificate has set of keyUsage bits. Two of them are digitalSignature
nonRepudiation (recent editions of X.509 have renamed this bit to contentCommitment).

I read X509 RFC (http://tools.ietf.org/html/rfc5280) and it talks about general usage of these bit.

And I read PKCS7 RFC (http://tools.ietf.org/html/rfc2315) and it talks about PKCS7 structure and so on and doesn't specify which bits needs to be set.

Is there any RFC or other specification which identifies whether one or both of them should be set?

Regards, Victor

A: 

A PKCS#7 file generally contains a chain of certificates. That is, a Root CA certificate, any intermediate CA certificates that apply, and then the endpoint certificate (SSL, e-mail, etc.) A PKCS#7 is typically used to bundle these up into a single file. It's useful, in that you can import the entire chain at once into a keystore or other relying application.

As to the key usage bits, those are set depending on the needs and purpose of a particular certificate. For example, a Root CA certificate would typically have both digital signature and non-repudiation set. For an SSL certificate, you may find key encipherment and digital signature. There's really no correlation between key usage and PKCS#7 files, unless you're talking about the CA certificates contained in the PKCS#7 file.

Shadowman
Got it. I think that confirms my thoughts. On of the problems that PKCS#7 is almost synonym to SMIME in many places. And SMIME requires no-repudiation, that's why I got confused.
Victor Ronin
The PKCS#7 really refers to "digitally signed messages". So, it really depends on what type of PKCS#7 data you're talking about. If you're talking about S/MIME, then yes you do want "digital signature" and "non-repudiation" set. If you're talking about a file encapsulating a set of certificates, it's not quite as important.
Shadowman