tags:

views:

52

answers:

1
Q: 

Should X509 certificate have nonRepudiation bit set to check PKCS7 signature?

X509 certificate has set of keyUsage bits. Two of them are digitalSignature
nonRepudiation (recent editions of X.509 have renamed this bit to contentCommitment).

I read X509 RFC (http://tools.ietf.org/html/rfc5280) and it talks about general usage of these bit.

And I read PKCS7 RFC (http://tools.ietf.org/html/rfc2315) and it talks about PKCS7 structure and so on and doesn't specify which bits needs to be set.

Is there any RFC or other specification which identifies whether one or both of them should be set?

Regards, Victor

A: 

A PKCS#7 file generally contains a chain of certificates. That is, a Root CA certificate, any intermediate CA certificates that apply, and then the endpoint certificate (SSL, e-mail, etc.) A PKCS#7 is typically used to bundle these up into a single file. It's useful, in that you can import the entire chain at once into a keystore or other relying application.

As to the key usage bits, those are set depending on the needs and purpose of a particular certificate. For example, a Root CA certificate would typically have both digital signature and non-repudiation set. For an SSL certificate, you may find key encipherment and digital signature. There's really no correlation between key usage and PKCS#7 files, unless you're talking about the CA certificates contained in the PKCS#7 file.

Shadowman  2010-08-18 18:16:29
Got it. I think that confirms my thoughts. On of the problems that PKCS#7 is almost synonym to SMIME in many places. And SMIME requires no-repudiation, that's why I got confused.
Victor Ronin  2010-08-19 13:49:41
The PKCS#7 really refers to "digitally signed messages". So, it really depends on what type of PKCS#7 data you're talking about. If you're talking about S/MIME, then yes you do want "digital signature" and "non-repudiation" set. If you're talking about a file encapsulating a set of certificates, it's not quite as important.
Shadowman  2010-08-19 13:55:30

related questions

Creating OpenVPN Keys and Cert using ruby - how
Setting Certificate Friendly Name
C# Export cert in pfx format
Python accessing web service protected by PKI/SSL
What is Public key infrastucture
How do I authenticate a user with the "Smart card is required for interactive logon" set?
Apache authentication via DOD PKI CAC
why do we need the pfx (key exchange) file?
where is private key?
what means subject in certificate?
DOD Common Access Card (CAC) Authentication
Reading private keys from oracle wallet
What type of X509 Certificate to use for XML Signature?
Primer for X.509 certificates on Windows
What does "wsse:InvalidSecurity" mean?
Best (Free) Certificate management tools
What's the difference between class 1 and class 3 roots, and the certificates signed by them?
What is the best cross-browser solution for browser based document signing (w/ digital signature)?
How to generate an SSL client certificate from a disconnected network?
Are CAs allowed to modify CSRs before signing?
MS CA Exit Module Code or Tutorial
What system do you use to encrypt files for a group of people (OS agnostic prefered)?
Storing X509 certificates in DB - Yea or Nay?
Encryption libraries?
What is the performance difference of pki to symmetric encryption?