[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

3280bis: key usage (13)

To: pkix <ietf-pkix@xxxxxxx>
Subject: 3280bis: key usage (13)
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Thu, 26 May 2005 11:00:52 +0200
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Bull SA.
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0


To the list,

The disposition of comments states:

 13) The descriptions of the meanings of the digitalSignature and
     nonRepudiation bits of keyUsage may need to be adjusted based
     on the work in X.509

  The new text in X.509 aligns with the text in RFC 3280.  No changes
  are required to 3280bis.  A comment has been added to the ASN.1 for
  KeyUsage stating that "recent editions of X.509 have renamed
  [the nonRepudiation] bit to contentCommitment"

This statement is untrue.

The text from X.509 has been published in Corrigendum 3 (04/2004)
on pages 4 and 5 (see ISO/IEC 9594-8:2000/Cor.3:2004 also called

ITU-T Rec. X.509 (2000)/Cor.3 (04/2004)).

An extract from this text is copied below:

a) digitalSignature: for verifying digital signatures that are used
   with an entity authentication service, a data origin authentication
   service or/and an integrity service;

b) contentCommitment: for verifying digital signatures which are intended
   to signal that the signer is committing to the content being signed.
   The type of commitment the certificate can be used to support may be
   further constrained by the CA, e.g. through a certificate policy.
   The precise type of commitment of the signer e.g. "reviewed and
   approved" or "with the intent to be bound", may be signalled by the
   content being signed, e.g. the signed document itself or some additional
   signed information.

   Since a content commitment signing is considered to be a digitally signed
   transaction, the digitalSignature bit need not be set in the certificate.
   If it is set, it does not affect the level of commitment the signer has
   endowed in the signed content.

   Note that it is not incorrect to refer to this keyUsage bit using the
   identifier nonRepudiation. However, the use of this identifier has been
   deprecated. Regardless of the identifier used, the semantics of this bit
   are as specified in this Directory Specification.

The text from 3280 is copied below:

      The digitalSignature bit is asserted when the subject public key
      is used with a digital signature mechanism to support security
      services other than certificate signing (bit 5), or CRL signing
      (bit 6).  Digital signature mechanisms are often used for entity
      authentication and data origin authentication with integrity.

      The nonRepudiation bit is asserted when the subject public key is
      used to verify digital signatures used to provide a non-
      repudiation service which protects against the signing entity
      falsely denying some action, excluding certificate or CRL signing.
      In the case of later conflict, a reliable third party may
      determine the authenticity of the signed data.

      Further distinctions between the digitalSignature and
      nonRepudiation bits may be provided in specific certificate
      policies.

The text from 3280bis does not align with the ISO-ITU text.
Please align with the the ISO-ITU text.

Denis

Follow-Ups:
- Re: 3280bis: key usage (13)
  - From: Stephen Farrell

Prev by Date: RE: 3280bis: CRL validation
Next by Date: RE: CRL Issue (Was RE: WG Last Call: AIA CRL extension)
Previous by thread: 3280bis: CRL validation
Next by thread: Re: 3280bis: key usage (13)
Index(es):
- Date
- Thread