[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: German Key Usage

To: hans.nilsson@xxxxxxxx
Subject: Re: German Key Usage
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Wed, 12 Aug 1998 09:12:29 (NZST)
Cc: cert-talk@xxxxxxxxxxxxxxxxxx, ietf-pkix@xxxxxxx
Reply-to: pgut001@xxxxxxxxxxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxx

>I am struggling with the question of the usage of the non-Repudiation Key 
>Usage bit. In a previous discussion, I claimed that the correct way would be 
>to have different keys for Authentication (performed automatically, for 
>example SSL client authentication) and Non-Repudiation (for legally binding 
>digital signatures, where the user should be made aware of what he is 
>signing). For the first key, the digitalSignature bit should be set, and for 
>the second key the nonRepudiation bit should be set.
 
This is exactly what the (US) Federal PKI does, with digitalSignature being 
used for ephemeral applications (eg session authentication) and nonRepudiation 
being used for signing objects which need to be verified at a future time.
 
>[German profile]
 
>It is quite evident that they interpret the nonRepudiation bit as an 
>ADDITIONAL function for the digitalSignature mechanism, which is quite in 
>line with what Denis Pinkas wrote to me earlier:
 
>To paraphrase what I already said: the digital signature bit is a MECHANISM 
>bit, while the non repudiation bit is a SERVICE bit.

That's what I would have thought too, especially since the name nonRepudiation 
implies something other than just signing used as tamperproofing.
 
>Is Denis' and the German interpretation of the nonRepudiation bit right or 
>wrong?
 
I don't think either interpretation is right or wrong, they're just 
different.  I can't really see why it should be necessary to distinguish 
ephemeral signing from long-term signing though (anyone?), so I'd go with 
Denis' interpretation.
 
BTW as a general request to PKIX/cert-talk readers, I'm trying to build up a 
collection of every available PKI profile so I can add some sort of 
cross-reference to the X.509 style guide, currently I have PKIX, FPKI, the 
German profile, and relevant parts of the Australian PKAF work on their way to 
me (the PKAF stuff is apparently only available in hardcopy form, which makes 
it a pain to get).  What I don't have are the two(?) ISO drafts which profile 
cert usage, and I've heard mention of some other Australian standard (which 
may or may not be identical to the PKAF work), and there are probably other 
profiles as well.  If anyone can get me copies of these so I can add them to 
the guide, I'd appreciate it.
 
Peter.

Prev by Date: Re: ldapv2-schema and CA Certificates
Next by Date: RE: Major comments on OCSP (and LDAP Sec
Previous by thread: German Key Usage
Next by thread: Re: German Key Usage
Index(es):
- Date
- Thread