As proof of CA acts, not as NR, was Re: NR -- a CA guarantee to archive certificate status?

[Ed Gerck <egerck@xxxxxxx>]

Bob Jueneman wrote:

> "In summary, we can see that the NR bit might reasonably be used to
> denote a certificate for which the CA has accepted the responsibility to
> archive the certificate status for a period of time after the expiration date.
>
> "However, issues of retention and access to such records for longer than
> about 10 years after the scheduled expiration date would make such a reliance
> problematic, given the vagaries of business and the lack of a statutory
> requirement for the transference of such records to another trusted third party."

I agree and, to be consistent and really solve the issue, I suggest that the name
NR bit needs to be changed to POA bit, as in "proofOfAuthentication bit".   This
is clearly not a "NR bit", whatever that might be.  This is a service which provides
various proofs of authentication acts done by the CA  (CA of subscriber, CA of
subscriber's private-key challenge response, CA of signing CAcertificate, CA of
cert issuance, CA of CRL, etc.)

As you say below,

> The biggest problem with the existing definition of the NR bit is that it
> ambiguously, and circularly, refers to a "non-repudiation service"
> without defining such a thing, or saying who has to do what, for whom,
> for how long, etc.

Let us not go into a worse mistake in the new incarnation of this issue,
by having a "NR bit" that  does not even refer to a "non-repudiation service"
and does not define such a thing, but bears the blame ;-) -- while it does a
whole lot of useful things (proof of CA authentication acts) that it would
not say.

Cheers,

Ed Gerck