X509:数字签名和不可否认性有什么区别 [英] X509: What's the difference between digital signature and non-repudiation

问题描述

我必须处理瑞士邮局签发的 USB 令牌证书.在同一个令牌上提供两个证书.在其预期用途领域，一个具有不可否认性"，另一个具有数字签名".

I have to deal with certificates issued by the Swiss post office on USB tokens. There deliver two certificates on the same token. In their intended usage fields, one has "non repudiation" and the other "digital signature".

现在，我不明白这两者之间的实际区别是什么:我总是在同一个证书中看到两者，从来没有两个证书用于相同的身份，每个证书都具有一个角色.事实上，我无法想象不可否认性和数字签名不一样的场景，对于所有实际问题来说，都是一样的.

Now, I can't understand what the practical difference between the two are: I've always seen both in the same certificate, never two certs for the same identity each with one of the roles. In fact, I can't imagine a scenario where non-repudiation and digital signature aren't the same, for all practical matter, the same thing.

谁能向我解释一下有什么区别吗?如果你有关于在什么情况下应该选择一个而不是另一个的建议，那也会有帮助.s

Could anyone explain to me what the difference is, please ? And if you had a suggestion about in what situation one should be picked over the other, that would help as well.s

推荐答案

我意识到这个问题有点老了，但我想我可以对这个问题提供一些急需的信息.

I realise this question is a bit old, but I think I can shed some much-needed light on the question.

keyUsage 属性中的不可否认值与整个证书相关，而不是任何特定目的.不可否认标志的存在表明私钥具有足够的保护措施，证书中指定的实体以后不能拒绝——拒绝——他们对证书采取的行动.标志的存在并不阻止否认，而是表明否认不太可能通过合理的审查.

The non-repudiation value in the keyUsage attribute relates to the whole certificate, not any purpose in particular. The presence of the non-repudiation flag indicates that the private key has sufficient protections in place that the entity named in the certificate cannot later repudiate—deny—actions they take with the certificate. The presence of the flag doesn't prevent repudiation, rather it indicates that repudiation isn't likely to survive reasonable scrutiny.

因此，在这种特定情况下，CA 为用户提供了包含或不包含不可抵赖元素的证书选项.如果您想向验证签名的人断言，您不能轻易否认签名是您本人(此处 USB 令牌是关键启用者)，请使用不可否认证书.否则，使用标记为数字签名的证书.(根据证书中的其他属性，您可能会也可能无法使用其中一个或两个证书签署文档.)

So in this specific case, the CA is giving the user the option of a certificate that does or does not include the non-repudiation element. If you want to assert to those verifying the signature that you can't easily deny it was you who signed it (the USB token is the key enabler here), use the non-repudiation certificate. Otherwise, use the certificate marked for digital signatures. (Depending on the other attributes in the certificate, you may or may not be able to sign documents with either or both certificates.)

参见维基百科:http://en.wikipedia.org/wiki/Non-repudiation
另请参阅相关 RFC:http://www.faqs.org/rfcs/rfc3280.html(第 4.2.1.3 节)

See Wikipedia: http://en.wikipedia.org/wiki/Non-repudiation
See also the relevant RFC: http://www.faqs.org/rfcs/rfc3280.html (section 4.2.1.3)

这篇关于X509:数字签名和不可否认性有什么区别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！