[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: German Key Usage
Blake, Toni,
Blake Greenlee wrote:
Dear folks:
There is another issue that only arises infrequently: a
geopolitical crisis. During such a crisis, it is customary for a
government to ban encrypted traffic across its borders, while
allowing signed or MACed traffic. This is another reason for
keeping the key usage distinct.
Blake
Good point! *This* is a good reason to separate digitalSignature and
various data encryption usage.
-----Original Message-----
From: Tony Bartoletti [mailto:azb@llnl.gov] Sent:
Thursday, August 13, 1998 7:13 PM
To: Friedrichs, Paul; hans.nilsson@ausys.se ;
simonetti_david@bah.com ; stefan@accurata.se ;
lars.gu.johansson@posten.se
Cc: ietf-pkix@imc.org ; cert-talk@structuredarts.com ;
blake.greenlee@greenlee.com
Subject: RE: German Key Usage
At 05:19 PM 8/13/98 -0400, Friedrichs, Paul wrote: > All,
>
> I agree. What's wrong with one key/cert for
> keyExchange/Encipherment *and* digitalSignature and a second
for > nonRepudiation?
A very important distinction between "Encipherment" and
"Signature": Encipherment keys may be subject to key escrow
requirements (in certain usage domains) while Signature keys would
certainly not.
nonRepudiation keys certainly would not, but why not I&A or MAC keys?
Would that be *so* bad?
Granted this is a distinction on the handling of the
private-key-component, but it may have ramifications for the
generation and handling of the public component certificates.
I completely agree - it's critical that the relying party's usage of
the certificate be based on the assertions of the CA.
It scares me just a bit to see these two usages lumped together,
even if only in the public-key certificate.
At the moment, I strongly believe (but might be able to be dissuaded)
that the crucial distinction is nonRepudiation or not; not digital
signature or not. It would seem to matter far less what atomic service
(reversible vs. non-reversible) is being supported by the key than what
business function is being served by this mechanism.
> Still two keys/certs: The first is used for
privileges/access to > resources either encrypted or protected
by some AC mechanism
> requiring remote I&A.
I agree with Blake that government restrictions on applications add
another dimension to the challenge, no doubt permanently necessitating
the separation of keys for I&A/MAC and privacy services.
The second is used for consciously created > signatures that
may have to stand up in court.
If law enforcement agencies legally capture "ephemeral" network
traffic as part of an ongoing investigation, I suppose it may be
months or even
years later when this traffic may be presented as evidence in a
courtroom.
True. Good point. If the certs and revocation information were
available, it could be used. Should we impose upon ourselves (the
industry in general) the burden, the commitment of supporting all such
contingencies?
The data presented may be "transient authentication" or more
substantial. I really fail to see this "consciously created"
distinction.
It would seem to be purely a legal/business issue. I am no lawyer, and
I understand there is not yet legal precedent in this area. But from my
reading of various digital signature guidelines and reflections upon my
own use of my signature, it would appear there's something to this
distinction. In any case, it's a business, not a technical decision.
And we should remain ready to support our customers.
More specifically, I believe that "consciously created", as it
applies to testimonials, binding contracts, and so forth, will
always require one or more "live witness" counter-signatures.
In the final analysis, repudiability is a continuum, not a
boolean.
Makes sense. But apparently a continuum of live witnesses to a
conscious act. The continuum is strengthened when a/each component is a
conscious rather than an oblivious act.
In the physical world, we leave finger prints and signatures on the
papers we touch. Both can be used in court. The first is (only for the
purpose of non-repudiation) analogous to I&A/MAC digital signatures
while the second is analogous to a nonRepudiation digital signatures.
Both have their place. One proves I touched it. The second proves I
meant to sign it fully aware of its content and the consequence of my
signature.
I'm glad I don't owe banks money because I only touched a mortgage
contract!
> This would appear to be the most fundamental distinction of
> services from the user's or replying party's perspective.
>
> keyUsage is an assertion by the CA, so this split makes
sense from > the PKI's perspective, as well: The primary
functional difference > from the CA's point of view is the
promise to support
> non-repudiation by archiving certs/CRLs beyond all statutes
of
> limitations and that it has not archived a copy of the
associated > private key.
Is it not more natural to have the relying party (who has no
particular contractual relationship to the CA) take it upon
herself to have the relevant docs, sigs, certs and crls archived
by some independent service? This way, even a CA that promises NO
non-repudiation support can still be held liable, together with
the signing party, for negligence, fraud, etc.
Honestly, it's not clear to me where archive responsibility will
optimally (technically or from a business perspective), ultimately
reside.
> What I hope disappears is any possibility of interpreting
> nonRepudiation "service" as applying to notaries and
timestamps! > These are applications which require
nonRepudiation keyUsage like > anybody else.
True.
Actually, this point was the primary reason I spoke up in the first
place. I have nagging fears that some businesses want to undermine this
interpretation in order to sanctify their nascent notary services.
Nothing against notary services. They are part of our non-repudiation
"continuum." But from the perspective of the CA and as a cryptographic
service, it is nothing other than an application's use of a
non-repudiation digital signature.
Paul