RE: German Key Usage

[lars.gu.johansson@xxxxxxxxx]

Key users,

Seems to me that everyone agrees that it is essential
to separate the two security services authentication and
non-repudiation by using different keys. That's why I've
previously supported the idea of never mix these key
usages (DS and NR) in the same certificate.

However, if the intepretation of the bits, as some of you
point out, should be that digitalSignature (DS) indicates a
MECHANISM wheras nonRepudiation (NR) is a SERVICE,
then indeed can there be a good reason for having both
bits set.

In order to still achieve the separation of the authantication
and non-repudiation service, I would propose the addition
of yet another key usage bit, namely the authentication (A)
SERVICE bit!

That could make sense: either the keyUsage field of the
certificate has DS+A set, indicating an authentication
service based on a digital signature mechanism. Or the
certificate would have the keyUsage field set to DS+NR,
indicating a non-repudiation service based on a digital
signature mechanism.

(Thinking of it: Wouldn't it also be possible to implement an
authentication service based on an data-encipherment
mechanism? If so, then the keyUsage would be DE+A)

The drawback of this aproach is that it adds further complexity
to an already quite complex concept. My only concern is that
we can agree on ONE solution that everyone interpret the same
way. Perhaps it's better to stick to the original idea of never
combining the DS and NR bits? Opinions?

/Lars Johansson