Re: Authentication vs. binding signature, and ephemeral vs. permanent key usage

>In summary, I would suggest the following new key usage bits:
>
>1.  Authentication -- a service
>
>2.  Binding signature -- a service
>
>3.  Enduring -- an indication of the validity of the authentication or 
>binding signature after the certificate validity interval. This should 
>replace the current "nonrepudiation" bit, which should be deprecated.
>
>4.  Accessible by a third party -- i.e., subject to key escrow, key recovery, 
>etc., whether by one's employer, a trusted third party, and/or the government 
>directly.
>
>5.  Ideally, the "digital signature" mechanism bit must be exclusive of any 
>other usage.  But if it is used in combination with other bits, it will may 
>mean that the key will NOT be exempt from key escrow or weakened cryptography 
>requirements that may be imposed by various regimes.
 
I mostly agree with this, but I'm wondering whether the plethora of extra bits 
isn't going to cause confusion in the future (look at the existing example of 
keyAgreement vs encipherOnly/decipherOnly - the latter two make the former 
redundant).  How about just clarifying the digitalSignature definition to 
mean "binding signatures only" and adding a new authentication bit, instead of 
adding two new bits with a somewhat vague relationship to the existing one?
 
I'm also not so sure about the enduring and GAK bits.  GAK isn't really a key 
usage, is a lot more complicated than just a simple "yes/no", and is already 
covered in a few standards (eg the draft GAK FIPS which devotes an entire 
certificate extension to it).  The enduring bit may also be something which 
can't be expressed as a simple yes or no - how long does it endure?  Is it 
affected by cert renewals?  Is there a reliance limit attached to it?  It 
sounds like this would also require its own extension, and may not even be 
useful because it's really up to the relying party as to whether they're going 
to trust an expired cert, and what they'd trust it for - I have 5-year-old 
keys from people which I still trust for signatures even though they're well 
past their use-by date because they're not used for high-value signatures and 
because I know they're careful with the keys.  I wouldn't trust them for 
high-value signing, and the presence or abscence of an enduring bit wouldn't 
change this.
 
Peter.