[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Interpretation of KeyUsage?

To: D.Pinkas@xxxxxxxxxxxx
Subject: Re: Interpretation of KeyUsage?
From: Lars Johansson <Lars.Johansson@xxxxxxxxxxxxxx>
Date: Fri, 17 Jan 1997 16:29:13 +0100
Cc: ietf-pkix@xxxxxxxxxx
Organization: PSab
References: <> <>

Denis Pinkas wrote:
> 
> Lars Johansson wrote:
> >
> > After reading the X.509 DAM over and over (and even
> > calling Warwick Ford) it was decided that the key we
> > use for (what we call) digital signatures (function no. 2)
> > would be 'nonRepudiation' in the X.509 terminology.
> 
> No. This would be wrong. Non repudiation, as you point out later on, is
> legally binding people.  A digital signature is just a mechanism that
> can be used for providing (and I am using there the ISO 7498-2
> terminology) data origin authentication with integrity, or entity
> authentication. When used in conjonction with other information, like a
> counter-signature from a Time Stamping Authority, a digital signature
> can also provide non repudiation.

Non repudiation of origin can also be achieved when the key is securely
stored in a smart card and can only be accessed after a correct
presentation
of the PIN code. This is how our 'nonRepudiation'-key is used.
 
> The difference is introduced between "digital signature" and "non
> repudiation" so that if you use a key with a key usage "digital
> signature" then it is not intended to legally bind you. The key is
> restricted to authentication purposes (in the large sense). In other
> words, the digital signature may convince some one; but cannot be used,
> according to a security policy, to convince anyone.
> 
> On the contrary the a key marked as non-repudiation is intended to bind
> you, once again, according to a security policy.

This is interesting since it is almost exactly the interpretation of
keyUsage
that we agreed upon. Hopefully everyone has the same interpration(?). 

This would also mean that e.g. a time-stamping service would use a key
with
nonRepudiation and let the policy indicate that it may only be used to
legally sign time-stamps, not any contents of the time-stamped
documents.
 
> > Suppose that one service provider on the Internet accepts
> > a digitally signed payment order using the extension
> > 'digitalSignature' in the corresponding certificate.
> 
> The Internet service provider can do it, in order to be convinced
> itself, but it would not be able to use the received digital signature
> to convince a third party, like a judge.

...which is the reason why signatures should be used in the first place,
isn't it? No, I get the point. Thanks for clearifying it to me.
 
> I take this opportunity to present my best wishes for the new year to
> the happily unworried swedish inhabitants that will use electronic
> ID-cards for authentication purposes.  :-)

Thanks, I'll pass your greeting to them. ;-)

Kind regards,
/Lars Johansson

References:
- Interpretation of KeyUsage?
  - From: Lars Johansson
- Re: Interpretation of KeyUsage?
  - From: Denis Pinkas

Prev by Date: Re: Interpretation of KeyUsage?
Next by Date: Re: Interpretation of KeyUsage?
Previous by thread: Re: Interpretation of KeyUsage?
Next by thread: Re: Interpretation of KeyUsage?
Index(es):
- Date
- Thread