On 01/-10/-28163 08:59 PM, lst_hoe02(a)kwsoft.de wrote:
Hello
we have our Djigzo gateway configured to encrypt all outgoing mail if a
matching certificate is found by setting "Encrypt Mode = Allow". Today i
discovered a mail which was not encrypted but a valid certificate is
available.
I suspekt it is because the odd keyUsage setting in the certificate. It
contains "digitalSignature" as only keyUsage, but "emailProtection"
as
Extended Key Usage. Have i got it right that all certificates which do
not contain "keyEncipherment" as keyUsage or have empty keyUsage are not
used for encryption by automatical selection?
A certificate is only valid for S/MIME encryption if one of the
following conditions is true:
1 the KeyUsage is not set and the extended key usage is not set, the
certificate can be used for encryption
2 the KeyUsage is not set and the extended key usage is set and contains
emailProtection, the certificate can be used for encryption
3 the KeyUsage is set and contains keyEncipherment and the extended key
usage is not set, the certificate can be used for encryption
4 the KeyUsage is set and contains keyEncipherment and the extended key
usage is set and contains emailProtection, the certificate can be used
for encryption
Kind regards,
Martijn Brinkers
--
Djigzo open source email encryption