RE: German Key Usage

[Blake Greenlee <blake.greenlee@xxxxxxxxxxxxxxx>]

Dear folks:

There is another issue that only arises infrequently: a geopolitical crisis.
During such a crisis, it is customary for a government to ban encrypted
traffic across its borders, while allowing signed or MACed traffic. This is
another reason for keeping the key usage distinct.

Blake

-----Original Message-----
From:	Tony Bartoletti [mailto:azb@llnl.gov]
Sent:	Thursday, August 13, 1998 7:13 PM
To:	Friedrichs, Paul; hans.nilsson@ausys.se ; simonetti_david@bah.com ;
stefan@accurata.se ; lars.gu.johansson@posten.se
Cc:	ietf-pkix@imc.org ; cert-talk@structuredarts.com ;
blake.greenlee@greenlee.com
Subject:	RE: German Key Usage

At 05:19 PM 8/13/98 -0400, Friedrichs, Paul wrote:
>     All,
>
>     I agree. What's wrong with one key/cert for
>     keyExchange/Encipherment *and* digitalSignature and a second for
>     nonRepudiation?

A very important distinction between "Encipherment" and "Signature":
Encipherment keys may be subject to key escrow requirements (in certain
usage domains) while Signature keys would certainly not.  Granted this
is a distinction on the handling of the private-key-component, but it
may have ramifications for the generation and handling of the public
component certificates.  It scares me just a bit to see these two usages
lumped together, even if only in the public-key certificate.

>     Still two keys/certs: The first is used for privileges/access to
>     resources either encrypted or protected by some AC mechanism
>     requiring remote I&A. The second is used for consciously created
>     signatures that may have to stand up in court.

If law enforcement agencies legally capture "ephemeral" network traffic
as part of an ongoing investigation, I suppose it may be months or even
years later when this traffic may be presented as evidence in a courtroom.
The data presented may be "transient authentication" or more substantial.
I really fail to see this "consciously created" distinction.

More specifically, I believe that "consciously created", as it applies
to testimonials, binding contracts, and so forth, will always require
one or more "live witness" counter-signatures.  In the final analysis,
repudiability is a continuum, not a boolean.

>     This would appear to be the most fundamental distinction of
>     services from the user's or replying party's perspective.
>
>     keyUsage is an assertion by the CA, so this split makes sense from
>     the PKI's perspective, as well: The primary functional difference
>     from the CA's point of view is the promise to support
>     non-repudiation by archiving certs/CRLs beyond all statutes of
>     limitations and that it has not archived a copy of the associated
>     private key.

Is it not more natural to have the relying party (who has no particular
contractual relationship to the CA) take it upon herself to have the
relevant docs, sigs, certs and crls archived by some independent service?
This way, even a CA that promises NO non-repudiation support can still be
held liable, together with the signing party, for negligence, fraud, etc.

>     What I hope disappears is any possibility of interpreting
>     nonRepudiation "service" as applying to notaries and timestamps!
>     These are applications which require nonRepudiation keyUsage like
>     anybody else.

True.

___tony___



Tony Bartoletti                                             LL
SPI-NET GURU                                             LL LL
Computer Security Technology Center                   LL LL LL
Lawrence Livermore National Lab                       LL LL LL
PO Box 808, L - 303                                   LL LL LLLLLLLL
Livermore, CA 94551-9900                              LL LLLLLLLL
email: azb@llnl.gov   phone: 510-422-3881             LLLLLLLL