[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Options, was Re: To Be, or NR To Be ...

To: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: Options, was Re: To Be, or NR To Be ...
From: Elliot Ginsburg <ginsburg@xxxxxxxxxxxx>
Date: Wed, 25 Aug 1999 16:08:36 -0400

I think everyone agrees that the keyUsage extension provides more
information than would be present without it. The discussion on this
list seems to be, exactly what information does it provide? Anyone have
a clear proposal to make for what it means, other than 'go read the
CPS', because this adds nothing.

It seems easy to decide that NR==0 means 'don't use it for NR' (if
critical, you're forbidden to; if non-critical, you're advised not to).
But what exactly does NR==1 convey? From reading this list, I might
conclude it means 'you might want to use it for NR, depending on the
policy, your requirements, and the availability of NR services to you'.
While this doesn't do much, at least NR==0  is still very useful.

Elliott N Ginsburg
CygnaCom Solutions
ginsburg@cygnacom.com
703-848-0883
703-848-0960(FAX)

> -----Original Message-----
> From:	David P. Kemp [SMTP:dpkemp@missi.ncsc.mil]
> Sent:	Wednesday, August 25, 1999 2:48 PM
> To:	ietf-pkix@imc.org
> Subject:	Re: Options, was Re: To Be, or NR To Be ...
> 
> 
> > From: Tony Bartoletti <azb@llnl.gov>
> > 
> > In some ways, the NR-bit is like marketing bottles of wood alcohol
> that
> > are simply labeled "alcohol".  The designation is "not necessary" to
> those
> > that have performed investigation and use the liquid for cleaning
> purposes.
> > The designation is "not sufficient" for those who assume that the
> liquid
> > is grain alcohol and can be taken internally.
> 
> 
> Your position is that more information on the label is better?
> 
> What label should be attached to a key which is known to be relatively
> less suitable for supporting a NR process (perhaps because the binding
> between a single individual and a specific private key is weak or
> nonexistent) - "Key, NR=0", or simply "Key" ?
> 
> The "necessary and sufficient" line of reasoning is as bogus with
> respect to the NR bit as it is with respect to any other bit.  A
> necessary and sufficient statement says that the set of keys (or more
> generally, the set of technologies) which can support and will provide
> an XX operation is identical to the set of keys which have the XX bit
> asserted in a certificate.  No matter what you value you substitute
> for
> XX (digitalSignature, nonRepudiation, keyEncipherment, ...
> decipherOnly), the "necessary and sufficient" condition is patently
> false.  We have the keyUsage extension because a cert with it provides
> more information than a cert without it, not because the extension is
> either necessary or sufficient to achieve any particular security
> goal.

Prev by Date: RE: Cast5-MAC Algorithm
Next by Date: Options, was Re: To Be, or NR To Be ...
Previous by thread: Re: Options, was Re: To Be, or NR To Be ...
Next by thread: Options, was Re: To Be, or NR To Be ...
Index(es):
- Date
- Thread