Re: [Ejbca-develop] digital sig bit

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

The dig sig bit is set in CAs so they can produce valid ocsp-responses. 
Strictly digitalSignature is not needed on the CA, but verification of 
ocsp-responses fail if it is not set.
My initial CA also gets digitalSignature, the default was changed 
between 3.0beta2 and 3.0beta3.

Cheers,
Tomas

Ken Gunderson wrote:

>At the risk fo sounding stupid, could someone please enlighten me 
>regarding correct usage of dig sig bit?  I note the initial CA 
>gengerated by ca.sh, has CRL and Key sign bits set, but omits dig sig 
>bit.  The bit is set however on default (fixed) root and subca's. 
>
>Per RFC3280:
>
>"The digitalSignature bit is asserted when the subject public key is 
>used with a digital signature mechanism to support security services 
>other than certificate signing (bit 5), or CRL signing (bit 6). Digital 
>signature mechanisms are often used for entity authentication and data 
>origin authentication with integrity."
>
>TIA-
>
>  
>