[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: 3280bis: key usage (13)
Just a nit maybe:
The following is not untrue but not really what we mean.
>>> Note that a certificate
>>> with only the digitalSignature bit set MUST NOT be used for
>>> verifying certificate or CRL signatures.
For example: Can you use a certificate with DS + NR to validate
signatures on certificates? (it has not DS ONLY set).
I think what we do want to say is something like:
"Note that verification of CRL and certificate signatures is explicitly
excluded from the definition of the digitalSignature bit. These key
usage purposes are defined separately by bit 5 and 6."
/Stefan
> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]
> On Behalf Of Denis Pinkas
> Sent: den 2 juni 2005 11:05
> To: Stephen Farrell
> Cc: Peter Gutmann; ietf-pkix@xxxxxxx
> Subject: Re: 3280bis: key usage (13)
>
>
>
> (text deleted)
>
> >>> The digitalSignature bit is asserted when the subject public
key
> >>> is used for verifying digital signatures that are used
> >>> with an entity authentication service, a data origin
authentication
> >>> service or/and an integrity service. Note that a certificate
> >>> with only the digitalSignature bit set MUST NOT be used for
> >>> verifying certificate or CRL signatures.
>
> >> Sounds good to me.
>
> > Cool. Let's see what happens when Denis get back so,
>
> This is fine with me. This solves the DS issue.
> We still need to solve the NR/CC bit issue.
>
> Denis
>
> > Stephen.
>
>