Signingalgorithmconstraints - Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual

Constraints-Specific Policy Module Reference
Table 11-10 RSAKeyConstraints Configuration Parameters (Continued)
Parameter Description
Specifies the minimum length, in bits, for the key (the length of the modulus in bits).
minSize
The value must be smaller than or equal to the one specified by the maxSize
parameter. Permissible values: 512, 1024, 2048, or 4096. You may also enter a
custom key size that is between 512 and 4096 bits. The default value is 512.
Specifies the maximum length, in bits, for the key. Permissible values: 512, 1024,
maxSize
2048, or 4096. You may also enter a custom key size that is between 512 and 4096
bits. The default value is 2048.
Limits the possible public exponent values. Use commas to separate different values.
exponents
Some exponents are more widely used than others. The following exponent values
are recommended for arithmetic and security reasons: 17 and 65537. Of these two
values, 65537 is preferred. (This setting is mainly an issue if you are using your own
software for generating key pairs. Key-generation programs in Netscape clients and
servers use 3 or 65537.)
Permissible values: A combination of 3, 7, 17, and 65537, separated by commas. The
default value is 3,7,17,65537.

SigningAlgorithmConstraints

The
SigningAlgorithmConstraints
signing algorithm to be one of the algorithms supported by CMS: MD2 with RSA,
MD5 with RSA, and SHA-1 with RSA, if the Certificate Manager's signing key is
RSA and SHA-1 with DSA, if the Certificate Manager's signing key is DSA.
When a Certificate Manager digitally signs a message, it generates a compressed
version of the message called a message digest. Some of the algorithms used to
produce this digest include MD5 and SHA-1 (Secure Hash Algorithm).
• MD5 generates a 128-bit message digest. Most existing software applications
that handle certificates only support MD5.
• SHA-1 generates a 160-bit message digest. Some software applications do not
yet support the SHA-1 algorithm. For example, Netscape Navigator 3.0 (or
higher) and Enterprise Server 2.01 (or higher) support SHA-1; previous
versions of these applications do not support SHA-1.
You may apply this policy to end-entity certificate enrollment and renewal
requests.
During installation, CMS automatically creates an instance of the signing algorithm
constraints policy, named
504 Netscape Certificate Management System Administrator's Guide • February 2003
plug-in module restricts the requested
, that is enabled by default.
SigningAlgRule