Re: Certificate requests for encryption keys

[Ben Laurie <ben@xxxxxxxxxxxxx>]

Bob Jueneman wrote:
> 
> Excellent question, and one we have been pondering as well,
> since Novell's NICI strongly types keys and rigidly enforces the
> allowed operations.
> 
> Our working, temporary expedient, along the lines of your #1,
> is to type the private key for both encryption and signature, but to
> only turn on the encryption bit in the certificate.  But that's an
> admittedly ugly hack.  Worse yet, it won't work at all with a
> DH encryption key.

I feel sure I'm going to regret asking, but why won't this work with a
DH key?

BTW, it seems to me that the more appropriate thing to do is to make it
legal to sign certificate requests (and only certificate requests) with
encryption-only keys rather than mark the private key for signing (which
then means it can be used for signing despite the certificate). In terms
of APIs, this means constructing and signing a cert request in a single
step, I presume (or marking a cert request as "signable by an encryption
key" - hmm, that might be a cool approach, too).

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi