X509 Certificates, DigitalSignature vs NonRepudiation (C#)?

You're right, this is a little odd, however if, for example, the key was used to provide AD logins then it may not have the flags set for DigitalSignature use. That's not to say you can't use it for that, it just indicates that the certificate issuer provides no guarantee when you go outside the key's indicated usage.

The one with the NonRepudiation flag set has only that flag, and this is what occurs as odd to me (given that I'm explicitly told to use that one for signing), however, I'm far from an expert in this field so I thought it best to ask around :) – Eyvind Dec 21 '09 at 10:04 By the way; these certificates are generated specifically for this purpose, and are not intended for AD logins etc. – Eyvind Dec 21 '09 at 10:05 Well that is a little weird, it ought to have both, but that depends on the policy of the issuer. The flags really are indicators of use, but it's up to you to decide if you should approve or reject certificates based upon them – blowdart Dec 21 '09 at 10:24.

As I read RFC 5280 (4.2.1.3), nonRepudiation is a superset of digitalSignature. In other words it grants all the abilities of digitalSignature and then some. So technically, what they are asking for is valid, though perhaps unusual.

If you want to provide a non-repudiation service, i.e. You want signatures have a LEGAL value, then you are supposed to use nonRepudiation only. Indeed, this is RECOMMENDED by standards (see ETSI TS 102 280) since the usage of other keyUsage bits together with nonRepudation may have security issues.

Thanks for clearing that up, and for getting back to this question after such a long time :) +1 – Eyvind Jun 11 '10 at 6:22.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.

Related Questions