[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Key Usage Profile

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Key Usage Profile
From: Bob Jueneman <BJUENEMAN@xxxxxxxxxx>
Date: Fri, 21 Nov 1997 11:52:28 -0700
Comments: To: simonetti_david@bah.com, pki-twg@csmes.ncsl.nist.gov
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

David,, Steve, Denis, and others,

Just to test my understanding of this, if I have a certificate which
includes the nonRepudiation key usage, I would be ill-advised to use it to
sign a email message containing a draft contract if I am not prepared to be
legally bound by it, or unless I needed to be able to substantiate my good
faith in negotiations, and the drraft was clearly labelled as such. Correct?

And likewise, if I have a certificate which includes the nonRepudiation bit,
I would be ill-advised to use that certificate to authenticate an SSL
session, unless I was prepared to be legally bound by the contents
transmitted over that session?

On the other hand, if I receive a payment order which only has the
digitalSignature bit set, and not the NonRepudiation bit, I should assume
that the information was provided FYI, but I shouldn't bet the ranch on it?

And what do we make of a digital signature which is verified by a
certificate which has neither of the bits set?

I think the attorneys and business practice people will follow whatever
course we chart here, but we should be careful what we ask for.  Semantics
are important!

Bob

Robert R. Jueneman
Security Architect
Novell, Inc.
Network Services Division
122 East 1700 South
Provo, UT 84604
801/861-7387
bjueneman@novell.com

"If you are tring to get to the moon, climbing a tree,
although a step in the right direction, will not prove
to be very helpful."

"The most dangerous strategy is to cross the chasm in two leaps."


>>> "Simonetti David" <simonetti_david@bah.com> 11/21 2:22 PM >>>
All,

For those following the key usage profiling issue, I still can't say
that I'm convinced that nonRepudiation will be exclusive of
digitalSignature signature in practice, but I respect the opinions that
I have received.

I recommend that the key usages be profiled in some manner similar to
the following:

"CAs shall:

Set digitalSignature when the security services of authentication and
data integrity are to be applied to the validation of a signed object;

Set nonRepudiation when the security service of non-repudiation is to be
applied to the signed object;

Set both digitalSignature and nonRepudiation when all of the security
services of authentication, data integrity, and non-repudiation apply to
the signed object."

If I hear no objections, I will go forth with this.

Dave S.

Prev by Date: Re: [IETF-PKIX] OCSP and nonrepudiation -- a modest proposal
Next by Date: Re: [IETF-PKIX] Key Usage Profile
Previous by thread: [IETF-PKIX] Objections to IPKI3CMP charset handling
Next by thread: Re: [IETF-PKIX] Key Usage Profile
Index(es):
- Date
- Thread