[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: To Be, or NR To Be ...

To: Elliot Ginsburg <ginsburg@xxxxxxxxxxxx>, tog <todd.glassey@xxxxxxxxxxxxxxxxxx>, Stephen Kent <kent@xxxxxxx>
Subject: RE: To Be, or NR To Be ...
From: Tony Bartoletti <azb@xxxxxxxx>
Date: Mon, 23 Aug 1999 11:12:18 -0700
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>

At 08:47 AM 8/23/99 -0400, Elliot Ginsburg wrote:
>Since the CA sets these bits, we have to decide what the CA is asserting
>when it sets or doesn't set a bit. Just as we have decided that when the
>CA asserts a policy OID, it is saying that it created this cert
>according to the named policies. When I use that cert, am I asserting
>something about policy because I used it? I don't know, but I do know
>that the CA did make an assertion.
>
>So what does the CA assert with the NR bit? One possibility has been
>mentioned already for the meaning of the CA setting the NR bit, and that
>is whether this cert can be used for non-repudiation. Its one thing,
>when I get a message, to trust who sent it and the integrity of the
>content; its quite another to be able to verify this five years from
>now. So I, as a CA, might tell you that this cert is usable now, but
>don't come back to me in five years, because I do not run a
>non-repudiation service. Which would imply that if the NR is set, there
>is an assertion that this cert was intended to be used for
>non-repudiation and can be relied on for that, however non-repudiation
>was defined in the policies of the CA. As a relying party, I will not
>store this message away and assume I have proof of the signer's actions
>if the NR bit is not set.

Elliot,

The point Ed Gerck was making (about 100 posts back;) was that the CA
can only say "I will/won't cooperate with the use of this cert for NR
purposes."  E.g., If the NR-bit is not set, we don't archive old stuff.

But others that are party to the original transaction are still free
to archive the signing cert, CA cert, CA Public Key, CRL's etc., and
present them in court in the case of a dispute.  Who knows how far
this will get them.  But it has been written on occasion that if the
NR-bit is not set, then the CA is saying "you cannot use this cert for
NR", and that is not necessarily true.

I agree with you, as Ed has also stated, that the CA controls the cert
issuing process, and so it is the CA making an assertion, directly.


___tony___

Tony Bartoletti                                             LL
IOWA Center                                              LL LL
Lawrence Livermore National Laboratory                LL LL LL
PO Box 808, L - 089                                   LL LL LL
Livermore, CA 94551-9900                              LL LL LLLLLLLL
phone: 925-422-3881   fax: 925-423-8081               LL LLLLLLLL
email: azb@llnl.gov                                   LLLLLLLL

References:
- RE: To Be, or NR To Be ...
  - From: Elliot Ginsburg

Prev by Date: Re: Definition of technical non-repudiation, was Re: NR -- what the real issues are, and a proposal
Next by Date: SCVP-01
Previous by thread: RE: To Be, or NR To Be ...
Next by thread: RE: To Be, or NR To Be ...
Index(es):
- Date
- Thread