I agree with John and Stefan that the NR bit not be deprecated, for the reasons they indicate, and because the current draft DoD Certificate Policy has slightly different requirements for certificate generation and management for digital signature certificates that do or do not assert the non-repudiation key usage bit.
Dave Fillingham
----------
From: Linn, John[SMTP:jlinn@securitydynamics.com]
Sent: Friday, August 27, 1999 12:38 PM
To: 'Stefan Santesson'
Cc: 'ietf-pkix@imc.org'
Subject: RE: Deprecate the NR bit?
I agree with Stefan. While an NR bit is appropriately sourced within a PKIX
infrastructure (representing, in a protected manner, an assertion by an
issuing CA), it's primarily consumed above the infrastructure. Its
consumption and semantics will depend on operational environments and their
policies.
Consensus hasn't yet become apparent on identifying all of the
characteristics which PKI-supported NR services might possess, or in
organizing those characteristics into an ordering. In advance of that
process (which could be slow to converge), I think that PKIX should retain
RFC-2459's current treatment of the bit. I believe the binary switch is
useful and appropriate to distinguish between classes of intended usages;
this seems a valuable first-level indicator which may be appropriately
complemented in future by additional, finer-grained attributes.
--jl
> -----Original Message-----
> From: Stefan Santesson [mailto:stefan@accurata.se]
> Sent: Friday, August 27, 1999 10:05 AM
> To: William Flanigan; Bob Jueneman
> Cc: ginsburg@cygnacom.com; ietf-pkix@imc.org
> Subject: Re: Deprecate the NR bit?
>
>
> I must admit that I have not followed everything said
> regarding the NR-bit
> on this list, but I'm not surprised that PKIX can't provide a common
> understanding on what NR is in detail.
>
> In fact I don't think PKIX should even try to do that, other
> than in the
> very general context that has already been done in RFC 2459.
>
> This does not mean that the bit is useless and should be
> deprecated. The NR
> bit belongs in a much wider context totally above the PKIX
> level. The fact
> is also that the NR-bit is used in many higher level context
> with success.
> If you would deprecate the bit you would force them to be
> non-compliant to
> PKIX.
>
> It is up to higher level of system design to provide the
> exact semantics of
> this bit, presumably in combination with some defined
> electronic signature
> policy. And then its up to the lawyers and judges to judge
> the outcome of
> this higher level context.
>
> So I would rather deprecate this discussion within PKIX then
> deprecate the bit.
>
> /Stefan
>
> At 09:39 AM 8/27/99 -0400, William Flanigan wrote:
> >Now, this makes sense! What do others feel?
> >
> >Bob Jueneman wrote:
> >
> >[snip]
> >>
> >> My sense is that tempers are fraying, everyone's patience
> is wearing
> >> decidedly thin, and that the group is getting quite
> frustrated by the
> >> fact that we haven't been able to identify any single, reasonably
> >> simple definition for what we mean by NR.
> >>
> >> If that is the case, I believe we should deprecate the NR
> bit within
> >> PKIX, and then charter another WG to explore the
> interaction between
> >> the certificate contents, application (as opposed to
> protocol) behavior,
> >> and the business and legal issues involved with signed documents.
> >>
> >> Bob
>
> -------------------------------------------------------------------
> Stefan Santesson <stefan@accurata.se>
> Accurata AB http://www.accurata.se
> Slagthuset Tel. +46-40 108588
> 211 20 Malmö Fax. +46-40 150790
> Sweden Mobile +46-70 5247799
>
> PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0
> -------------------------------------------------------------------
>