[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: German Key Usage

To: Russ Housley <housley@xxxxxxxxxx>
Subject: Re: German Key Usage
From: "Simonetti David" <simonetti_david@xxxxxxx>
Date: Fri, 14 Aug 1998 13:51:30 -0400
Cc: lars.gu.johansson@xxxxxxxxx, hans.nilsson@xxxxxxxx, stefan@xxxxxxxxxxx, ietf-pkix@xxxxxxx, cert-talk@xxxxxxxxxxxxxxxxxx, blake.greenlee@xxxxxxxxxxxx
Organization: BAH
References: <>
Sender: owner-ietf-pkix@xxxxxxx

...Enter IPsec's IKE...

Russ Housley wrote:
> 
> No.  Sometimes it is perfectly acceptable to use one key for authentication
> and non-repudiation.
> 
> I would say that there is agreement that key management and digital
> signature should not be mixed.  Yet, we have many deployed protocols that
> do just that.
> 
> Russ
> 
> At 04:14 PM 8/13/98 +0200, lars.gu.johansson@posten.se wrote:
> >Key users,
> >
> >Seems to me that everyone agrees that it is essential
> >to separate the two security services authentication and
> >non-repudiation by using different keys. That's why I've
> >previously supported the idea of never mix these key
> >usages (DS and NR) in the same certificate.
> >
> >However, if the intepretation of the bits, as some of you
> >point out, should be that digitalSignature (DS) indicates a
> >MECHANISM wheras nonRepudiation (NR) is a SERVICE,
> >then indeed can there be a good reason for having both
> >bits set.
> >
> >In order to still achieve the separation of the authantication
> >and non-repudiation service, I would propose the addition
> >of yet another key usage bit, namely the authentication (A)
> >SERVICE bit!
> >
> >That could make sense: either the keyUsage field of the
> >certificate has DS+A set, indicating an authentication
> >service based on a digital signature mechanism. Or the
> >certificate would have the keyUsage field set to DS+NR,
> >indicating a non-repudiation service based on a digital
> >signature mechanism.
> >
> >(Thinking of it: Wouldn't it also be possible to implement an
> >authentication service based on an data-encipherment
> >mechanism? If so, then the keyUsage would be DE+A)
> >
> >The drawback of this aproach is that it adds further complexity
> >to an already quite complex concept. My only concern is that
> >we can agree on ONE solution that everyone interpret the same
> >way. Perhaps it's better to stick to the original idea of never
> >combining the DS and NR bits? Opinions?
> >
> >/Lars Johansson
> >

-- 
David Simonetti, Booz·Allen & Hamilton Inc.

References:
- RE: German Key Usage
  - From: Russ Housley

Prev by Date: Re: German Key Usage
Next by Date: Re: Key Usage in ISO 15782
Previous by thread: RE: German Key Usage
Next by thread: RE: German Key Usage
Index(es):
- Date
- Thread