[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 3280bis: key usage (13)

To: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Subject: Re: 3280bis: key usage (13)
From: Stephen Farrell <stephen.farrell@xxxxxxxxx>
Date: Thu, 26 May 2005 14:49:31 +0100
Cc: pkix <ietf-pkix@xxxxxxx>
In-reply-to: <42959044.4070802@xxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <42959044.4070802@xxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511

Denis,

> Please align with the the ISO-ITU text.

Do you mean we should rename the bits and include the
other new x.509 text? The design team were against
doing that.

Is there any (good) reason other than alignment to
make such a change?

Personally, I find the new x.509 text worse, although
it does say: "Note that it is not incorrect to refer to
this keyUsage bit using the identifier nonRepudiation."
So I can argue that we are aligned, just not identical.

But of course, I'm from the non-repudiation is non-sense
camp so I may not be the best judge.

Stephen.

PS: A quibble:

>   The new text in X.509 aligns with the text in RFC 3280.  No changes
>   are required to 3280bis.  A comment has been added to the ASN.1 for
>   KeyUsage stating that "recent editions of X.509 have renamed
>   [the nonRepudiation] bit to contentCommitment"
>
> This statement is untrue.

The paragraph to which I assume you refer contains 3
statements - it'd be easier to close these threads if
you were more precise. (I think I got what you want
by the end of the mail though...)

PPS: "This statement is untrue."
     Are you from Crete after all? :-)

Denis Pinkas wrote:


To the list,

The disposition of comments states:

 13) The descriptions of the meanings of the digitalSignature and
     nonRepudiation bits of keyUsage may need to be adjusted based
     on the work in X.509

  The new text in X.509 aligns with the text in RFC 3280.  No changes
  are required to 3280bis.  A comment has been added to the ASN.1 for
  KeyUsage stating that "recent editions of X.509 have renamed
  [the nonRepudiation] bit to contentCommitment"

This statement is untrue.

The text from X.509 has been published in Corrigendum 3 (04/2004)
on pages 4 and 5 (see ISO/IEC 9594-8:2000/Cor.3:2004 also called

ITU-T Rec. X.509 (2000)/Cor.3 (04/2004)).

An extract from this text is copied below:

a) digitalSignature: for verifying digital signatures that are used
   with an entity authentication service, a data origin authentication
   service or/and an integrity service;

b) contentCommitment: for verifying digital signatures which are intended
   to signal that the signer is committing to the content being signed.
   The type of commitment the certificate can be used to support may be
   further constrained by the CA, e.g. through a certificate policy.
   The precise type of commitment of the signer e.g. "reviewed and
   approved" or "with the intent to be bound", may be signalled by the
   content being signed, e.g. the signed document itself or some additional
   signed information.

Since a content commitment signing is considered to be a digitallysignedtransaction, the digitalSignature bit need not be set in thecertificate.

   If it is set, it does not affect the level of commitment the signer has
   endowed in the signed content.

   Note that it is not incorrect to refer to this keyUsage bit using the
   identifier nonRepudiation. However, the use of this identifier has been
   deprecated. Regardless of the identifier used, the semantics of this bit
   are as specified in this Directory Specification.

The text from 3280 is copied below:

      The digitalSignature bit is asserted when the subject public key
      is used with a digital signature mechanism to support security
      services other than certificate signing (bit 5), or CRL signing
      (bit 6).  Digital signature mechanisms are often used for entity
      authentication and data origin authentication with integrity.

      The nonRepudiation bit is asserted when the subject public key is
      used to verify digital signatures used to provide a non-
      repudiation service which protects against the signing entity
      falsely denying some action, excluding certificate or CRL signing.
      In the case of later conflict, a reliable third party may
      determine the authenticity of the signed data.

      Further distinctions between the digitalSignature and
      nonRepudiation bits may be provided in specific certificate
      policies.

The text from 3280bis does not align with the ISO-ITU text.
Please align with the the ISO-ITU text.

Denis

Follow-Ups:
- Re: 3280bis: key usage (13)
  - From: Hoyt L Kesterson II

References:
- 3280bis: key usage (13)
  - From: Denis Pinkas

Prev by Date: RE: CRL Issue (Was RE: WG Last Call: AIA CRL extension)
Next by Date: Re: [draft-ietf-pkix-sim-04.txt]
Previous by thread: 3280bis: key usage (13)
Next by thread: Re: 3280bis: key usage (13)
Index(es):
- Date
- Thread