X509 证书是否应该设置 nonRepudiation 位来检查 PKCS7 签名?
X509 证书具有一组 keyUsage 位。其中两个是 数字签名
nonRepudiation(X.509 的最新版本已将此位重命名为 contentCommitment)。
我阅读了 X509 RFC (https://www.rfc-editor.org/rfc/rfc5280) 并讨论了这些位的一般用法。
我阅读了 PKCS7 RFC (https://www.rfc-editor.org/rfc/rfc2315< /a>),它讨论了 PKCS7 结构等,但没有指定需要设置哪些位。
是否有任何 RFC 或其他规范来确定是否应设置其中之一或两者?
问候, 胜利者
X509 certificate has set of keyUsage bits. Two of them are
digitalSignature
nonRepudiation (recent editions of X.509 have renamed this bit to contentCommitment).
I read X509 RFC (https://www.rfc-editor.org/rfc/rfc5280) and it talks about general usage of these bit.
And I read PKCS7 RFC (https://www.rfc-editor.org/rfc/rfc2315) and it talks about PKCS7 structure and so on and doesn't specify which bits needs to be set.
Is there any RFC or other specification which identifies whether one or both of them should be set?
Regards,
Victor
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
PKCS#7 文件通常包含证书链。也就是说,根 CA 证书、任何适用的中间 CA 证书,然后是端点证书(SSL、电子邮件等)。PKCS#7 通常用于将这些证书捆绑到单个文件中。它很有用,因为您可以将整个链一次导入密钥库或其他依赖应用程序。
至于密钥使用位,这些位是根据特定证书的需要和目的来设置的。例如,根 CA 证书通常同时具有数字签名和不可否认性集。对于 SSL 证书,您可能会发现密钥加密和数字签名。密钥使用和 PKCS#7 文件之间确实没有关联,除非您谈论的是 PKCS#7 文件中包含的 CA 证书。
A PKCS#7 file generally contains a chain of certificates. That is, a Root CA certificate, any intermediate CA certificates that apply, and then the endpoint certificate (SSL, e-mail, etc.) A PKCS#7 is typically used to bundle these up into a single file. It's useful, in that you can import the entire chain at once into a keystore or other relying application.
As to the key usage bits, those are set depending on the needs and purpose of a particular certificate. For example, a Root CA certificate would typically have both digital signature and non-repudiation set. For an SSL certificate, you may find key encipherment and digital signature. There's really no correlation between key usage and PKCS#7 files, unless you're talking about the CA certificates contained in the PKCS#7 file.
顺便说一句,这一点违反了其设计中的关注点分离。不可否认性是在业务层面协商的法律问题。在证书/签名级别使用该位是无关紧要的。参见例如 http://www-personal.umich.edu/ 〜lsiden/tutorials/signed-applet/ShockingTruth.html
BTW, this bit violates the separation of concerns in its design. Non-repudiation is a legal issues negotiated on the business level. Using the bit at the certificate/signing level is irrelevant. See e.g. http://www-personal.umich.edu/~lsiden/tutorials/signed-applet/ShockingTruth.html