[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Deprecate the NR bit?

To: "Aram Perez" <aram@xxxxxxxxx>
Subject: Re: Deprecate the NR bit?
From: Stephen Kent <kent@xxxxxxxxxxx>
Date: Tue, 31 Aug 1999 10:20:13 -0400
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>

At 8:53 AM -0700 8/30/99, Aram Perez wrote:

>Ron Ramsay wrote:
>
>> Except that the NR bit cannot be added to the certificate by the
>> application!
>
>But the application can add a much better indicator to the data that needs
>to be part of the evidence that supports non-repudiation as has been
>proposed on this mailing list.

Not all applications may be trusted to properly assert invocation  of NR
services.  By including the NR bit in a cert, we have a (potentially)
higher assurance mechanism that can allow or prohibit an application from
invoking NR services.  For example, if one provides an application with
access to certs ONLY with NR=0, we can ensure that these apps cannot assert
that they are acting in an NR capacity on behalf of the user. This is a
very useful security facility and a good reason to keep the NR bit.

Steve

Follow-Ups:
- Real-world issues, Re: Deprecate the NR bit?
  - From: Ed Gerck

References:
- Re: Deprecate the NR bit?
  - From: Aram Perez

Prev by Date: Re: Comments on RFC 2459
Next by Date: New Internet Draft on Non-Repudiation Requirements
Previous by thread: Re: Deprecate the NR bit?
Next by thread: Real-world issues, Re: Deprecate the NR bit?
Index(es):
- Date
- Thread