[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: German Key Usage

To: "'Simonetti David'" <simonetti_david@xxxxxxx>, Stefan Santesson <stefan@xxxxxxxxxxx>
Subject: RE: German Key Usage
From: Hans Nilsson <hans.nilsson@xxxxxxxx>
Date: Thu, 13 Aug 1998 07:38:58 +0100
Cc: ietf-pkix@xxxxxxx, "'Cert-Talk'" <cert-talk@xxxxxxxxxxxxxxxxxx>, Blake Greenlee <blake.greenlee@xxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

David,

Thank you for the exhaustive summary of non-repudiation key usage in
different specifications. Here is my own translation of the relevant section
of the German Certificate Specification version 2.0 (sorry for the
Swenglish):

"The designation of the bit digitalSignature describes the usage
unsufficiently. Digital Signatures are mechanisms that serve to enable
services like authentication or ensuring an undertaking. A suitable name for
the bit digitalSignature would be authentication, whereby the real usage
would be described.

The usage of the two bits digitalSignature and nonRepudiation differ in such
a way that the authentication process usually is done automatically and
quite often, whereas digital signatures digital signatures for securing an
undertaking are made consiously and less frequent by the certificate holder.

In the context of this profile, only combinations 2 and 7 [from ISO CD
15782] are relevant. The usage of the keyUsage extension is mandatory and
shall be marked critical in all certificates. When generating user
certificates, only the bits digitalSignature and nonRepudiation (combination
2) are allowed to be used. Participant (=user? /hn) certificates shall not
be used for authentication purposes". (Then follows a few sentences saying
that CA certificates shall use combination 7).

You asked: Where is the confusion? My reply is:  

Looking at all these different profiles, in the future some certificates
will have BOTH bits set, and some applications will only use them for
non-repudiation services, whereas other applications will use them for both
(in violation of the German law? ;-). Other certicates will ONLY have the
non-repudiation bit set, and may then not be usable in some applications.

How will we ever get interworking between certificates issued according to
these different standards, if they all have different setting and
interpretation of the nonRepudiation bit?

My conclusion is: We have two choices and should settle for one of them:

A. The ISO 15782 and German interpretation (setting both bits when
nonRepudiation is the intended usage). But then the other specifications you
mentioned (Pkix, MISSI, FPKI) need to be changed to reflect that also. 

B. The nonRepudiation bit is interpreted as implicitly using digital
signatures, and SHOULD NOT be combined with anything else. This means
changes to X.509 and ISO CD 15782. If possible, we should even change the
name of the digitalSignature bit to authentication, because this is what
everybody now explains in their specifications.

Probably A is the easiest way to go.

Hans

Follow-Ups:
- Re: German Key Usage
  - From: Simonetti David
- RE: German Key Usage
  - From: Robert Moskowitz

Prev by Date: RE: ldapv2-schema and CA Certificates
Next by Date: Re: German Key Usage
Previous by thread: Re: German Key Usage
Next by thread: RE: German Key Usage
Index(es):
- Date
- Thread