Peter Williams wrote:
I
agree we should not deprecate the bit; there are coherentapplication
contexts, including NATO X.400 secure inter-personaland
organizational messaging service, and Authenticode. Neitherof
these contexts deviate from the ISO NR definitions and intent.
Yes, IMO deprecating
the NR bit would mean more uncertainty than
the intersubjective
understanding already achieved.
We
should remove any "mandatory requirement" foruse
of the NR-bit in IETF std protocols/profiles, however.
Yes, as well
as (in a minimalistic edit) change "falsely denying"
to "deny" in
2459. Use
of the NR bit should always be an operationalchoice;
it is helpful if operational context(s)is/are
signaled in the enhancedKeyUsage field.
Yes, agreed also.
Any
PKIX language which implies a dependency betweenuse
of the NR bit and any other key usage bit, should beignored
for the purpose of compliance testing.
Yes, and I suggest
the same should be applied to all other bits
in the keyUsage
field.
Cheers,
Ed Gerck