gpgsm not listing key usage caps "esc" in regular output?

Bernhard Reiter bernhard at intevation.de
Fri Oct 31 15:39:24 CET 2008 

On Freitag, 31. Oktober 2008, Werner Koch wrote:
> On Fri, 31 Oct 2008 09:50, bernhard at intevation.de said:
> > It seems that gpgsm will not add "key usage" if a key has "esc"
> > capabilities. Is this a defect? Seems like it.
>
> This is on purpose:
>
>   err = ksba_cert_get_key_usage (cert, &use);
>   if (gpg_err_code (err) == GPG_ERR_NO_DATA)
>     {
>       es_putc ('e', fp);
>       es_putc ('s', fp);
>       es_putc ('c', fp);
>       es_putc ('E', fp);
>       es_putc ('S', fp);
>       es_putc ('C', fp);
>       return;
>     }
>
> The reason is that programs using the colon interface take decisions
> based on the key capabilities.  We don't want them to know how to interpret
> X.509 and thus we do this for them by telling that the certifciate maybe
> used for all purposes.
>
> A key listing without --with-colons is intended to be human readable
>
> and thus we print what we actually have, like:
> >     key usage: digitalSignature nonRepudiation keyEncipherment
>
> In the above case we don't print anything because there are no key usage
> flags at all.

Ah, thanks for the explanation!

Checking with openssl, the key for Bernhard has:
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
(no X509v3 Key Usage)

where Ludwig has
	        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment

As the "C" in the colons mean it is able to certify other keys, 
I take it that the listed X509v3 Basic Constraints: critical CA:FALSE
is not considered by gpgsm or means something else?

-- 
Managing Director - Owner: www.intevation.net      (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1603 bytes
Desc: not available
URL: </pipermail/attachments/20081031/8ff5f6fc/attachment.bin>

More information about the Gnupg-devel mailing list