[7670] in cryptography@c2.net mail archive
Using signature-only certs to authenticate key exchanges
daemon@ATHENA.MIT.EDU (Enzo Michelangeli)
Mon Aug 14 23:41:46 2000
Message-ID: <03d301c00665$672adde0$3f00a8c0@asiainter.net>
From: "Enzo Michelangeli" <em@who.net>
To: <cryptography@c2.net>
Date: Tue, 15 Aug 2000 11:03:19 +0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
If I use a signature-only cert to authenticate a D-H key exchange (e.g., in
IPSEC, or SSL with ephemeral DH ciphersuites) am I in violation of any
licensing condition and/or, when applicable, export regulation? I'm asking
because MS seems to suggest that for Win2K's IPSEC stack a signature-only
cert would suffice:
http://www.microsoft.com/WINDOWS2000/library/planning/security/ipsecsteps.as
p
[...]
Here are the requirements for the certificate to be used for IPSec:
Certificate stored in computer account (machine store)
Certificate contains an RSA public key that has a corresponding private key
that can be used for RSA signatures.
Used within certificate validity period
The root certificate authority is trusted
A valid certificate authority chain can be constructed by the CAPI module
[...]
Cheers --
Enzo
