[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NR, redux, again.

To: "Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>, <oscar.jacobsson@xxxxxxxxxxx>
Subject: Re: NR, redux, again.
From: Tony Bartoletti <azb@xxxxxxxx>
Date: Mon, 01 Nov 1999 11:15:02 -0800
Cc: <ietf-pkix@xxxxxxx>
In-reply-to: <>

At 09:57 AM 11/1/99 -0700, Bob Jueneman wrote:
>>>> Oscar Jacobsson <oscar.jacobsson@celocom.com> 11/01/99 09:46AM >>>
>Bob Jueneman wrote:
>> Then, once it becomes obvious that a single bit is not sufficient
>> to represent all of the different and useful notions that are at
>> least close to NR, we can them make progress in defining those
>> addition bits or states.
>
>Mr. Jueneman, list:
>
>This might well constitute sticking my neck out too far, but since the
>certificatePolicies extension has room for more than one
>PolicyInformation SEQUENCE, could not the PKIX working group try working
>out a set of the most common conceptions of the usage of the NR bit and
>define CertPolicyId's for them that conformant CAs could add to their
>own?
>
>The combination of NR-specific policyIdentifier and presence/absence of
>NR-bit should hopefully be sufficient to represent at least the
>different notions present in the PKIX working group.
>
>Just a thought.
>
>//oscar
>
>Oscar, that's a thought, and one of a number of possibilities.
>
>But one of the most important issues that your suggestion brings up
>is whether NR has anything to do with a CA  AT ALL, and therefore
>whether it is appropriate to represent in a CertPolicyId extension.
>
>Bob

All,

I think we have long agreed that a single NR-bit is of very limited
utility in conveying the range of qualities we may need to assert in
non-repudiation.  (Ed Gerck's taxonomy and Tom Gindin's codification
are certainly a solid representation of this range.)  In particular,
as Bob reminds us, there is no a-priori reason to assume that NR is
strictly (or even best) the job of the CA.

As a exercise, it may be useful to imagine that you are going to set
yourself up as an "Full-Serve Digital NR Service" but you are NOT a CA.
Of course, you will be involved with digital documents, signatures,
certificates, independent time-stamps, and countless other concerns.
Now the question to ask is "What, if anything, would you want a given
certificate's NR-bit to signify?"  Of what utility is it to you?

Being a full NR service, I imagine you will certainly be archiving
relevant objects as a matter of course, so do you care if the CA is
providing (redundant) long-term storage?  I doubt so.  Hence the
association of cert NR-bit with cert "lifetime" is misplaced.

I can understand why some folks (CAs) would like to limit the NR-bit
to such a simple notion.  It is "do-able", and they are under pressure
to "do NR" from some quarters.

Comments?

___tony___

Tony Bartoletti                                             LL
IOWA Center                                              LL LL
Lawrence Livermore National Laboratory                LL LL LL
PO Box 808, L - 089                                   LL LL LL
Livermore, CA 94551-9900                              LL LL LLLLLLLL
phone: 925-422-3881   fax: 925-423-8081               LL LLLLLLLL
email: azb@llnl.gov                                   LLLLLLLL

References:
- Re: NR, redux, again.
  - From: Bob Jueneman

Prev by Date: Re: lifetime versus NR, Re: Comments on the PKIX Roadmap
Next by Date: Re: lifetime versus NR, Re: Comments on the PKIX Roadmap
Previous by thread: Re: NR, redux, again.
Next by thread: Re: NR, redux, again.
Index(es):
- Date
- Thread