SV: Authentication vs. binding signature, and ephemeral vs.perman ent key usage

Petra, 
I agree with most of your reasoning, except the conclusion :-) 
I think ONLY the NR bit should be set in "Golden" certificates  for
Non-Repdiation for the following reason:

If both bits are set in a Golden certificate, an application in the key
holder's PC that wants to use a private key for automatic authentication
will surely think that it is allowed to use the corresponding private key,
since the DS bit is set.

But you have then added in your Certificate Specification that  "a complying
application is NOT allowed to use a key for automatic authentication if the
NR bit is set". So the application not just needs to look at the DS bit, it
also needs to look at the NR bit (and what more bits...?). I think this is
requesting too much from the applications.

Best Regards
Hans

> -----Original message ------
From: Petra Glöckner
Stefan Santesson wrote:
> 
> My main concern is how we define distinguishing properties for
> non-repudiation to clearly separate it from the DS bit. Failing this
> may lead to misuse of exclusive non-repudiation keys due to different
> interpretations.
>

Stefan,

I completely agree that we need a common understanding how to use the 
DS and the NR bit. So I'd like to express my understanding of both bits.

As far as I can tell from all the comments on this list the DS bit
should be used for unconscious signatures (session-oriented 
authentication applications, e.g. SSL/TLS-like protocols) and the 
NR bit should be used for conscious signatures (binding signatures, 
long-term signatures).

But I think this definition is not correct. The DS bit is not restricted 
to session-oriented authentication. The DS bit has to be set in a
certificate used for integrity of an object and authenticity of 
the originator, i.e. for digital signatures in general - no matter 
whether the signing act happens conscious or unconscious and automatic.
For example to (consciously) sign my email I don't necessarily need to
have the NR bit set, but I need the DS bit set in my certificate.

NonRepudiation is a service provided by my CA by issuing and archiving
my certificate. So if a CA issues a certificate containig the NR bit 
it indicates that the certificate and any other information about the
certificate holder will be archived and will remain available in the
future beyond certificate expiration.
So it's like a regular and a golden credit card: The DS certificate is
the regular and the NR certificate the golden credit card with extra
services and additional costs.
Signatures with a NR certificate will be regarded as more trustworthy 
than signatures with only the DS bit set. Some applications might even
require a NR certificate.

Now the question still remains whether the NR bit has to be set 
exclusivly or combined with the DS bit.

In my opinion nonRepudiation services require the integrity 
of the message and authenticity of the originator, both provided by the 
digital signature. So the DS bit always needs to be set with the
NR bit. 
If the definition of the NR bit will be changed, and it will include 
the integrity and authenticity as well, the NR bit would be sufficient. 
Otherwise both bits need to be set !

> That is the concern that it would be unfit to use a NR key for 
> unconscious and automatic authentication mechanisms where the signing 
> entity doesn't see and accept what he is signing with his key. Since 
> this would lower the evidence value of NR signatures in court. 

I agree, it's necessary to be able to distinguish a key used for
unconscious automatic signatures from a key used for conscious 
signatures. But if I make such a difference I assume that the key 
used for unconscious signatures (DS bit) is worth almost nothing 
because the signer can falsly deny having signed the object. 
So you can hardly place any trust in a certificate with the DS bit set.
I don't think this was the intent of this keyUsage bit.

I think the separation between keys used for conscious and unconscious
signing has to be placed somewhere else in the certificate, e.g. in the 
extended key usages. You shouldn't overload the semantics of the
keyUsage field ! I'd propose that a certificate to be used for access 
control purposes where your private key is automatically used for
signing must contain an additional indicator, e.g. another extension.
Additionally, the DS bit in the keyUsage must be set.

Comments ?

Petra

PS.: I'm one of the authors, who wrote the profile for the german
digital signature law and I've followed the whole discussion with great
interest. The profile is only a draft by now, so it's possible to 
change it if there is a good reason for doing so.