Re: Authentication vs. binding signature, and ephemeral vs.permanent key usage

Hi Denis,

I have several comments below (prefixed by **#**):

>Petra,
>
>I tried to follow the exchanges but they are going rather fast. I picked
>your message from yesterday and will use it to reply.
>
>> Stefan,
> 
>> I completely agree that we need a common understanding how to use the
>> DS and the NR bit. So I'd like to express my understanding of both bits.
> 
>> As far as I can tell from all the comments on this list the DS bit
>> should be used for unconscious signatures (session-oriented
>> authentication applications, e.g. SSL/TLS-like protocols) and the
>> NR bit should be used for conscious signatures (binding signatures,
>> long-term signatures).
>
>Correct.

**#** Who or what determines that state of consciousness? Why when I go to a
secure site using SSL is this considered "unconscious". Because I know what the
protocol is doing, I am conscious that signing is being performed albeit without
any conscious act from me (other than going to the secure site). When I sign my
e-mails, are these conscious signature because they are long term? It is still
conscious when I tell my e-mail program, through my preferences settings, to
always sign my e-mails, even though it happens automatically without my
intervention?

> 
>> But I think this definition is not correct. The DS bit is not restricted
>> to session-oriented authentication. 
>
>No, it is restricted. The text says:
>
>      The digitalSignature bit is asserted when the subject public key
>      is used with a digital signature mechanism to support security
>      services other than non-repudiation (bit 1), certificate signing
>      (bit 5), or revocation information signing (bit 6). Digital signa-
>      ture mechanisms are often used for entity authentication and data
>      origin authentication with integrity.
>
>      The nonRepudiation bit is asserted when the subject public key is
>      used to verify digital signatures used to provide a non-
>      repudiation service which protects against the signing entity
>      falsely denying some action, excluding certificate or CRL signing.
>

**#** So if I want to sign my e-mail (which I consider NOT to be
session-oriented), what bits should be set if the DS bit is limited to
session-oriented?

[snip]
Regards,
Aram Perez
Apple Computer, Inc.