EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Question about KeyUsage

Posted: 11/07/2006 11:02:34
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155


I don't really know what are the differences between NonRepudiation (ContentCommitment) and digitalSignature bits. I'm asking this because we are going to have in a smart card two certificates that differ in this bits (one has nonrepudation=1 and the other digitalSignature=1). The other bits are 0 (and when nonrepudation=1 then digitalSignature=0 and when digitalsignature=0 nonrepudation is 1).

I've tried to google it, learn something from the help, but i don't have it 100% clear. Can someone tells me what are the differences and what is supposed to happen when I sign/verify with one certificate (nonrepudation) or the other (digitalSignature).

It isn't really related to SBB, but as we're in this forum "supposed" to know it (me also :p); maybe someone can helps me (Eldos, you're welcome also ;))

Many thanks
Posted: 11/07/2006 13:01:43
by Eugene Mayevski (Team)

Let's review the standard (RFC 3280):


Bits in the KeyUsage type are used as follows:

The digitalSignature bit is asserted when the subject public key is used with a digital signature mechanism to support security services other than certificate signing (bit 5), or CRL signing (bit 6). Digital signature mechanisms are often used for entity authentication and data origin authentication with integrity.

The nonRepudiation bit is asserted when the subject public key is used to verify digital signatures used to provide a non-repudiation service which protects against the signing entity falsely denying some action, excluding certificate or CRL signing.
In the case of later conflict, a reliable third party may determine the authenticity of the signed data.

Further distinctions between the digitalSignature and
nonRepudiation bits may be provided in specific certificate policies.

The most important is the third part. The certificates must be used for various purposes and different policies can apply. That's the main difference between two.

Sincerely yours
Eugene Mayevski
Posted: 11/07/2006 13:53:39
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Now I understand it... as you say policies have different OID's (as they're similar I didn't saw that difference before). I was confused and thought that maybe one certificate couldn't be used for sign or something...

Many thanks once more



Topic viewed 2557 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!