[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proposed key usaged text -- the final round

To: Tim Polk <wpolk@xxxxxxxx>
Subject: Re: proposed key usaged text -- the final round
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Tue, 07 Dec 1999 18:47:55 +0100
Cc: ietf-pkix@xxxxxxx
Organization: Bull
References: <> <>

Tim,

I did not realized that the ball was rolling in my camp and thus I
needed to send you a response.
I would like first to summarize where we are. Keeping the first
sentence unchanged and adding the text you proposed to solve both my
issue and John Linn issue we come to the following normative text:

The nonRepudiation bit is asserted when the subject public key is
used to verify digital signatures used to provide a non-repudiation
service. The values of the digitalSignature and nonRepudiation bits
are not considered when validating the signature on certificates or
certificate status information (see keyCertSign and cRLSigning,
below, for values that are considered when validating such
signatures.)

Thenafter I agree that warnings should be moved in the security
consideration section. So the only remaining point should be to
agree on that text. You proposal was missing the case of the two
bits set. Here is a new attempt:

"A CA may include the key usage extension and assert the
nonRepudiation bit when issuing a certificate. When such a
certificate is delivered, it implies that the owner of the
corresponding private key should be warned that, in the event of a
dispute, he may be held responsible of the data signed with this
key. 

If a certificate has both the digitalSignature and the
nonRepudiation bit set, the owner of the private key should make
sure that all the environments and applications where the
corresponding private key is being used do not allow a misuse of
that private key. If that condidence can only be obtained in some
environments, two different certificates, one with one public public
key and the digitalSignature bit set and another one with a
different public key and the nonRepudiation bit set, should be used,
so that the private key corresponding to the certificate with the
nonRepudiation bit set is only used in secure environments."

Regards,

Denis

=======================================
 
> Denis,
> 
> At 11:52 AM 11/25/1999 +0100, Denis Pinkas wrote:
> >Tim and Russ,
> >
> >> To people who still care about NR:
> >
> >I care.
> >
> 
> We thought you might. :-)
> 
> I've cut and pasted a bit to asssist those reading along at home... I trust I haven't altered your intent.
> 
> Our proposed text:
> > The nonRepudiation bit is asserted when the subject public key is
> > used to verify digital signatures used to provide a non-repudiation
> > service. This service protects against the certificate subject
> > falsely denying signing the data, excluding certificate or CRL
> > signing. In the case of later conflict, a reliable third party may
> > determine the authenticity of the signed data.
> 
> Your proposed text:
> 
> >" The nonRepudiation bit is asserted when the subject public key is
> >used to verify digital signatures used to provide a non-repudiation
> >service. When present, the nonRepudiation bit indicates that the
> >private key corresponding to the subject public key present in that
> >certificate may be used to indicate the user's conscious and willing
> >intent to endorse what is being signed."
> >
> 
> I prefer our text, since it sticks to the definition of the service. The certificate subject can use their private key for anything they'd like. The question for the key usage extension is, "Should I use this public key to implement this service?". I believe our text describes the general case, yours an important specific case.
> 
> Russ and I worked very hard to remove the word "intent" in our latest proposal. Intent can only be indicated through context, such as the signing policy that ETSI has proposed. This specification cannot do a thing to ensure that any particular signature was generated conciously and willingly.
> 
> Since our text includes your case, and ETSI is already working on the mechanisms to describe the signing context, I think our text is a good middle ground.
> 
> You also wrote:
> >I would also propose to add a note that explains the case of a
> >certificate having both the DS and the NR bits set and to place this
> >addition at the end of the whole section 4.2.1.3:
> >
> >" Note: A certificate with the nonRepudiation bit set should only be
> >used when it is possible to get full confidence of the environments
> >where the private key will be used. If a certificate has both the
> >digitalSignature and the nonRepudiation bit set, the entity owning
> >the private key should have full confidence of all the various
> >environments and applications where the private key will being used.
> >For the cases where that condidence cannot be obtained, two
> >different certificates, one with one public public key and the
> >digitalSignature bit set and another one with a different public key
> >and the nonRepudiation bit set, should be used."
> >
> >
> 
> I substituted "issued" for "used" in this paragraph. I'm assuming you are talking about how a CA determines *which* bits should be asserted. Is that right? On that assumption, I think it is a policy issue or a security consideration. [Side note: What do you mean by "full confidence"?] The next paragraph points to the policy for additional information.
> 
> The other possibility would be the security considerations section. It could build on the current text, which includes the folowing:
> 
> The protection afforded private keys is a critical factor in main-
> taining security. On a small scale, failure of users to protect
> their private keys will permit an attacker to masquerade as them, or
> decrypt their personal information. [stuff about CA keys deleted]
> 
> Adding the following paragraph might address your concern:
> 
> A CA may include the key usage extension and assert the nonRepudiation bit
> when issuing a certificate. This implies that a reliable third party will
> be able to determine the authenticity of signed data in the event of a dispute.
> If the certificate subject uses the private key in an insecure environment,
> it may be difficult to detect or prevent key compromise. This could prevent a
> reliable third party from determining the authenticity of signed data. A CA
> should consider the environment of the private key before asserting the
> nonRepudiation bit.
> 
> I know this text is very rough, but would this serve your purpose?
> 
> Thanks,
> 
> Tim

Follow-Ups:
- back to nothing, was Re: proposed key usaged text -- the final round
  - From: Ed Gerck

References:
- proposed key usaged text -- the final round
  - From: Russ Housley
- Re: proposed key usaged text -- the final round
  - From: Tim Polk

Prev by Date: RE: Accessing/selecting biometrics was: Stray Poll: Finger-printsin QCs
Next by Date: Re: proposed key usaged text -- the final round
Previous by thread: Re: proposed key usaged text -- the final round
Next by thread: back to nothing, was Re: proposed key usaged text -- the final round
Index(es):
- Date
- Thread