RE: German Key Usage

[Robert Moskowitz <rgm-sec@xxxxxxxxxxxxxxx>]

At 07:38 AM 8/13/98 +0100, Hans Nilsson wrote:
>
>You asked: Where is the confusion? My reply is:  
>
>Looking at all these different profiles, in the future some certificates
>will have BOTH bits set, and some applications will only use them for
>non-repudiation services, whereas other applications will use them for both
>(in violation of the German law? ;-). Other certicates will ONLY have the
>non-repudiation bit set, and may then not be usable in some applications.
>
>How will we ever get interworking between certificates issued according to
>these different standards, if they all have different setting and
>interpretation of the nonRepudiation bit?
>
>My conclusion is: We have two choices and should settle for one of them:
>
>A. The ISO 15782 and German interpretation (setting both bits when
>nonRepudiation is the intended usage). But then the other specifications you
>mentioned (Pkix, MISSI, FPKI) need to be changed to reflect that also. 
>
>B. The nonRepudiation bit is interpreted as implicitly using digital
>signatures, and SHOULD NOT be combined with anything else. This means
>changes to X.509 and ISO CD 15782. If possible, we should even change the
>name of the digitalSignature bit to authentication, because this is what
>everybody now explains in their specifications.
>
>Probably A is the easiest way to go.

Why, because the first law on the books rules the roost?  When has this
been the way of law?  Yes there is the concept of precedent, but if it is
not best, then changes need to occur.  

Easy, does not make right.


Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com