santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Cantor" <>
Subject RE: FW:
Date Tue, 05 Jan 2010 15:08:46 GMT
Arshad Noor wrote on 2010-01-05:
> In the software that I write, Scott, I enforce this.  From
> experience, I also know that browsers and S/MIME User Agents
> (Outlook, Thunderbird) also enforce this.

Those are applications. If they want to enforce it, that's fine, but it
doesn't belong in an XML Security library (for example).

> While I presume that cryptographic frameworks such as JCE,
> CAPI, CNG, etc. also enforce this, I do not make assumptions
> about the degree to which they enforce keyUsage bits.

The underlying crypto shouldn't be enforcing anything. X.509 is an
application construct, not a cryptographic component.

It's pointless to make somebody extract the key themselves and hand it to
the same code, and that's what they'll do if the certificate doesn't work as
a way of getting the key in.

-- Scott

View raw message