[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Filtering certificates for encryption/decryption in enveloped
From:       Giovanni Sarbia <g.sarbia () VIRGILIO ! IT>
Date:       2002-06-30 22:39:22
[Download RAW message or body]


Hello,

I need to filter the certificates available in the "Other people" (or
AddressBook) store in order to list only those that can be properly used
as recipients for enveloped messages. My problem is that even though
CAPI does not return errors while encrypting and enveloping data, the
recipient of the encrypted data will not be able to decrypt the message
if the private key is only specified as AT_SIGNATURE (i.e. the dwKeySpec
parameter after calling CryptAcquireCertificatePrivateKey will have a
value of AT_SIGNATURE). Specifically I would like to know if it is
possible, using CAPI functions on the sender's PC (where there is no
access to the private keys), to select only those certificates that have
an AT_KEYEXCHANGE private key on the receiver's PC. I guess that, if
it's at all possible, the answer should be based on the key usage and
extended key usage properties of the certificate, but after searching
through the list archives and through Google I found several people
believing that the key specification does not depend only on key usage
properties, so that it would not be possible to solve my problem. If my
problem can be solved, I don't know exactly what (combination of)
properties should be tested in order to select a "good" certificate. I
think that selecting only valid recipients is an important function. For
example, someone could believe, being wrong, that he/she has a
certificate that can be used to receive enveloped messages, then give me
his/her certificate with the public key to let me send him/her private
messages. My software should not, nevertheless, allow me to use that
certificate to envelop messages. I hope someone has found a solution, or
has found that there is definitely no solution...

Thanks in advance for your help.

Best regards,

Giovanni

-------
Giovanni Sarbia
g.sarbia@virgilio.it

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM

[prev in list] [next in list] [prev in thread] [next in thread]