[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proposed key usaged text -- the final round

To: Denis Pinkas <Denis.Pinkas@xxxxxxxx>, Tim Polk <wpolk@xxxxxxxx>
Subject: Re: proposed key usaged text -- the final round
From: "Aram Perez" <aram@xxxxxxxxx>
Date: Tue, 07 Dec 1999 10:38:54 -0800
Cc: ietf-pkix@xxxxxxx

Denis Pinkas wrote:

> Tim,
> 
> I did not realized that the ball was rolling in my camp and thus I
> needed to send you a response.
> I would like first to summarize where we are. Keeping the first
> sentence unchanged and adding the text you proposed to solve both my
> issue and John Linn issue we come to the following normative text:
>
> The nonRepudiation bit is asserted when the subject public key is
> used to verify digital signatures used to provide a non-repudiation
> service. The values of the digitalSignature and nonRepudiation bits
> are not considered when validating the signature on certificates or
> certificate status information (see keyCertSign and cRLSigning,
> below, for values that are considered when validating such
> signatures.)
>
> Thenafter I agree that warnings should be moved in the security
> consideration section. So the only remaining point should be to
> agree on that text. You proposal was missing the case of the two
> bits set. Here is a new attempt:
>
> "A CA may include the key usage extension and assert the
> nonRepudiation bit when issuing a certificate. When such a
> certificate is delivered, it implies that the owner of the
> corresponding private key should be warned that, in the event of a
> dispute, he may be held responsible of the data signed with this
> key.
>
> If a certificate has both the digitalSignature and the
> nonRepudiation bit set, the owner of the private key should make
> sure that all the environments and applications where the
> corresponding private key is being used do not allow a misuse of
> that private key. If that condidence can only be obtained in some
> environments, two different certificates, one with one public public
> key and the digitalSignature bit set and another one with a
> different public key and the nonRepudiation bit set, should be used,
> so that the private key corresponding to the certificate with the
> nonRepudiation bit set is only used in secure environments."
>
> Regards,
>
> Denis

I like Denis' suggestions and I agree that "warnings should be moved in the
security consideration section".

Regards,
Aram Perez

[snip]

Follow-Ups:
- Consensus Text for key usage?
  - From: Tim Polk

Prev by Date: Re: proposed key usaged text -- the final round
Next by Date: back to nothing, was Re: proposed key usaged text -- the final round
Previous by thread: Re: proposed key usaged text -- the final round
Next by thread: Consensus Text for key usage?
Index(es):
- Date
- Thread