Re: Question about certificate (x509)

From: Michel Gallant (neutron_at_istar.ca)
Date: 08/13/04

• Next message: Michel Gallant: "Re: How to get key container or public key from CertificateContext?"
• Previous message: Michel Gallant: "Re: Encrypting Data for multiple recipients"
• In reply to: Lokicer: "Question about certificate (x509)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 13 Aug 2004 09:15:24 -0400

Not necessarily. It depends to some extend on what you are actually signing.
For example to either sign or encrypt email (e.g. S/MIME) you would need only
a single certificate (with one matching private key). In Microsoft cert-key land,
this usually means using a key marked as AT_EXCHANGE.

However, other implementations of "signing", e.g. digitally signing executables, cabs
etc. using Authenticode-signing implementation, has stronger security implications and
so some Microsoft tools want a key/cert marked with a different "extended property" ..
i.e. a key type AT_SIGNATURE.
This difference (I have been told by some MS folks) is a bit dated these days, and goes
back to some historical key-size restriction issues.
I have been told that there is no good reason these days to simply use AT_EXCHANGE for
ALL key operations ... except of course that several Microsoft tools (including some .NET tools)
will ONLY accept AT_SIGNATURE marked keys :-)

- Mitch Gallant
   www.jensign.com

"Lokicer" <lokicer@163.com> wrote in message news:cfhusd$1aqp$1@mail.cn99.com...
> HiŁ¬
>
> MS CryptoAPI use different key pairs to sign and encrypt, so the public
> key for encryption and for verification is also differnt. It means shoud use
> different certificate(.cer file) to encrypt and verify message?
> Thanks in advance.
>
> Regards,
> Zheng
>
>

---

• Next message: Michel Gallant: "Re: How to get key container or public key from CertificateContext?"
• Previous message: Michel Gallant: "Re: Encrypting Data for multiple recipients"
• In reply to: Lokicer: "Question about certificate (x509)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Remote signing of large files ... about 'Remote signing of large files': ... the signing of this message digest. ... the encrypt() function. ... of the private key, or that the private key has been compromised.] ... (Debian-User) Re: Signing/Encrypting with kerberos token or usernametoken ... > The sample just shows signing with the username token. ... > username token can also be used to somehow encrypt the message also. ... >>variant and a policy variant, ... should be illustrated in the ResponseEncryption sample. ... (microsoft.public.dotnet.framework.webservices.enhancements) Re: Remote signing of large files ... signing could be done on a separate server. ... the signing of this message digest. ... the encrypt() function. ... of the private key, or that the private key has been compromised.] ... (Debian-User) Re: OE Encryption ... There is a difference between signing and encrypting: ... Such a public key can be transmitted ... just click the button in OE to encrypt the message. ... als ein Dutzend untüchtiger Freunde." ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.platformsdk.security  > 2004-08