'About Key-pairs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    About Key-pairs
From:       John Boyer <jboyer () MAILHOST ! UWI ! COM>
Date:       1998-02-23 18:08:46
[Download RAW message or body]


It would be great if the CryptoAPI actually enforced the distinction between
AT_SIGNATURE and AT_KEYEXCHANGE.  Unfortunately, it doesn't and the popular
CAs out there are taking advantage of the fact that it doesn't.

AT_KEYEXCHANGE has come to mean that the private key can be used for key
exchange or for signature.  To check this for yourself, get a certificate
that has medium security set on it.  When you try to sign data, Windows
brings up a message dialog to warn the user that his/her private key is
about to be used to sign data.  The dialog says that the private "exchange"
key is being used to do this.  So, CAPI permits the signature even though
the key is not part of an AT_SIGNATURE certificate.

The reason this is a serious problem is that if I, as a CAPI developer,
uncomment the code that tests for the AT_SIGNATURE property, then my program
suddenly doesn't work with everybody's Verisign and Thawte digital Ids.  It
seems to me that the CAs are doing this because they don't want to confuse
people by making them get two digital Ids when one will do the trick.
However, the fallacy in this solution is that programmers like me can't
concomitantly meet the needs of one-Id people and two-Id people.

CAs should automatically issue bith a key exchange and a signature
certificate if they perceive their customers want to do both operations.
Further, CAPI should be more restrictive.  Since this email is unlikely to
change the world... can anyone suggest a reasonable compromise?

Thanks,
John Boyer
Software Development Manager
UWI.Com -- The Internet Forms Company
jboyer@uwi.com
(250) 479 8334 ext. 143


-----Original Message-----
From: Radhika Deo <radhika@FCPL.CO.IN>
To: CryptoAPI@DISCUSS.MICROSOFT.COM <CryptoAPI@DISCUSS.MICROSOFT.COM>
Date: Sunday, February 22, 1998 8:45 PM
Subject: Key-Pairs


>Hi ,
>
>I am having one doubt regarding key-pairs . CryptoAPI says that every
>user have two key-pairs , AT_SIGNATURE use for signing messages and
>AT_EXCHANGE use to encrypt session keys . But why to have two key-pairs
>? Why not only one ? And does this means that every user has two
>certificates corresponding to each key-pair ?
>
>
>Thanks ,
>------------------------------------------------------------------------
>Radhika Deo .
>Frontier Computers Pvt. Ltd .
>EMail - radhika@fcpl.co.in , radhikadeo@hotmail.com
>
>----------------------------------------------------------------
>Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
>contains important info including how to unsubscribe.  Save time, search
>the archives at http://microsoft.ease.lsoft.com/archives/index.html
>

----------------------------------------------------------------
Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://microsoft.ease.lsoft.com/archives/index.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic