Re: Options, was Re: To Be, or NR To Be ...

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

> From: Tony Bartoletti <azb@llnl.gov>
> 
> In some ways, the NR-bit is like marketing bottles of wood alcohol that
> are simply labeled "alcohol".  The designation is "not necessary" to those
> that have performed investigation and use the liquid for cleaning purposes.
> The designation is "not sufficient" for those who assume that the liquid
> is grain alcohol and can be taken internally.


Your position is that more information on the label is better?

What label should be attached to a key which is known to be relatively
less suitable for supporting a NR process (perhaps because the binding
between a single individual and a specific private key is weak or
nonexistent) - "Key, NR=0", or simply "Key" ?

The "necessary and sufficient" line of reasoning is as bogus with
respect to the NR bit as it is with respect to any other bit.  A
necessary and sufficient statement says that the set of keys (or more
generally, the set of technologies) which can support and will provide
an XX operation is identical to the set of keys which have the XX bit
asserted in a certificate.  No matter what you value you substitute for
XX (digitalSignature, nonRepudiation, keyEncipherment, ...
decipherOnly), the "necessary and sufficient" condition is patently
false.  We have the keyUsage extension because a cert with it provides
more information than a cert without it, not because the extension is
either necessary or sufficient to achieve any particular security
goal.