Re: [exim-dev] [Bug 443] would like to use user S/MIME certi…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni
Datum:  
To: exim-dev
Betreff: Re: [exim-dev] [Bug 443] would like to use user S/MIME certificate as sufficient authentication
On Thu, Jun 12, 2014 at 10:05:25PM +0100, Jeremy Harris wrote:

> >Sorry, a bit out of context here, not sure what "they" means, can
> >you state your question in a bit more detail?
>
> keyUsage and kextendedKeyUsage fields in certificates.
>
> Does anybody take notice of them?


If the extendedKeyUsage extension is present, and set only to
"emailProtection" (OpenSSL name for id-kp-emailProtection =
1.3.6.1.5.5.7.3.4), then the certificate fails verification as a
TLS client certificate with an OpenSSL server even when the issuing
CA is trusted.

I don't know whether the (non-extended) keyUsage of S/MIME certificates
can impinge on their ability to be used for TLS client auth.

IIRC with TLS server certificates, if keyUsage is present and does
not include keyAgreement, ECDSA and ECDHE ciphersuites may be
disabled.

-- 
    Viktor.