Re: 3280bis: key usage (13)

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Stefan,

> Just a nit maybe:
> The following is not untrue but not really what we mean.

> > > >   Note that a certificate
> > > >   with only the digitalSignature bit set MUST NOT be used for
> > > >   verifying certificate or CRL signatures.

> For example: Can you use a certificate with DS + NR to validate
> signatures on certificates? (it has not DS ONLY set).

> I think what we do want to say is something like:

> "Note that verification of CRL and certificate signatures is explicitly
> excluded from the definition of the digitalSignature bit. These key
> usage purposes are defined separately by bit 5 and 6."

On the long paved road leading to further improvements, why not say:

"Note that the verification of certificate signatures and CRL signatures
is only governed by key usage purposes defined by bits 5 and 6
respectively".

Denis

> /Stefan
>  
>
>
> > -----Original Message-----
> > From: owner-ietf-pkix@xxxxxxxxxxxx
>
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
>
> > On Behalf Of Denis Pinkas
> > Sent: den 2 juni 2005 11:05
> > To: Stephen Farrell
> > Cc: Peter Gutmann; ietf-pkix@xxxxxxx
> > Subject: Re: 3280bis: key usage (13)
> >
> >
> >
> > (text deleted)
> >
> >
> > > > >   The digitalSignature bit is asserted when the subject public
> key
>
> > > > >   is used for verifying digital signatures that are used
> > > > >   with an entity authentication service, a data origin
> authentication
>
> > > > >   service or/and an integrity service. Note that a certificate
> > > > >   with only the digitalSignature bit set MUST NOT be used for
> > > > >   verifying certificate or CRL signatures.
> > > >
> > > > Sounds good to me.
> > >
> > > Cool. Let's see what happens when Denis get back so,
> >
> > This is fine with me. This solves the DS issue.
> > We still need to solve the NR/CC bit issue.
> >
> > Denis
> >
> >
> > > Stephen.