Re: Interpretation of KeyUsage?

[Denis Pinkas <D.Pinkas@xxxxxxxxxxxx>]

Lars Johansson wrote:
> 
> Hi all,
> 
> This is a topic that has confused us a great deal
> in the swedish SEIS project (http://www.seis.se).
> One goal of SEIS is to agree on a standard of
> electronic ID-cards (i.e. smart cards primarly
> used for identification). The electronic ID-card
> shall be capable of performing the following
> cryptographic functions (all based on RSA):
> 
> 1. Authentication ("signing" a random challenge).
> 
> 2. Computing digital signatures (e.g. signing
>    legal contracts).
> 
> 3. Encryption
> 
> For each function there is a separate key with a
> corresponding certificate. These three certificates
> must therefore include the X.509v3 extension keyUsage.
> 
> It's quite clear that the encryption key can have the
> usage 'keyEncipherment' but what about the other two?
> 
> After reading the X.509 DAM over and over (and even
> calling Warwick Ford) it was decided that the key we
> use for (what we call) digital signatures (function no. 2)
> would be 'nonRepudiation' in the X.509 terminology.

No. This would be wrong. Non repudiation, as you point out later on, is
legally binding people.  A digital signature is just a mechanism that
can be used for providing (and I am using there the ISO 7498-2
terminology) data origin authentication with integrity, or entity
authentication. When used in conjonction with other information, like a
counter-signature from a Time Stamping Authority, a digital signature
can also provide non repudiation.

The difference is introduced between "digital signature" and "non
repudiation" so that if you use a key with a key usage "digital
signature" then it is not intended to legally bind you. The key is
restricted to authentication purposes (in the large sense). In other
words, the digital signature may convince some one; but cannot be used,
according to a security policy, to convince anyone.

On the contrary the a key marked as non-repudiation is intended to bind
you, once again, according to a security policy.

> This left us with the KeyUsage 'digitalSignatures'
> for the key we use for authentication. Although I think
> this interpretation of X.509v3 is correct it still
> worries me somehow. As we interpret the term authentication,
> it means encrypting some random data with your private key.
> Since the protocol uses random data, this type of signature
> mustn't be mixed with the ones performed on legally binding
> contracts (supporting non-repudiation).
> 
> Now I'd like to know for what other purposes are people
> using keys with the X.509v3 extension 'digitalSignature'?
> As I see it there is a potential risk that the intepretation
> differs from country to country or even from application to
> application.

> Suppose that one service provider on the Internet accepts
> a digitally signed payment order using the extension
> 'digitalSignature' in the corresponding certificate.

The Internet service provider can do it, in order to be convinced
itself, but it would not be able to use the received digital signature
to convince a third party, like a judge.

> Do you all see the potential risk of fraud to our happily
> unworried swedish inhabitants that use their electronic
> ID-cards for authentication purposes?
> 
> Please comment!
> /Lars Johansson
> Sweden Post

I take this opportunity to present my best wishes for the new year to
the happily unworried swedish inhabitants that will use electronic
ID-cards for authentication purposes.  :-)

Regards,

Denis

-- 

      Denis Pinkas     Bull S.A.         E-mail : D.Pinkas@frcl.bull.fr
      Rue Jean Jaures  B.P. 68            Phone : 33 - 1 30 80 34 87
      78340 Les Clayes sous Bois. FRANCE   Fax  : 33 - 1 30 80 33 21