We are considering the creation of separate PKCS # 7 signatures with timestamp for our backup files for audit purposes (the timestamp would be created by an external trusted TSA). What attributes of extended key use (EKU), if applicable, should be present in the certificate of the signature key so that it has the most legal value? Do we need any EKU value or do we simply need a key use of non-repudiation?
For the record, we are aware of things like FIM and companies like Tripwire, but we are still interested in this approach. We are also aware that the legal value of our solution will depend mainly on how we manage our keys, who our customers are, etc.