RE: Authentication vs. binding signature, and ephemeral vs.permanent key usage

>  When I get the certificate, did I "contract with VeriSign"? And 
> if I did, how
> do I can tell Verisign to set the NR bit? It's not on any other 
> the sign up
> forms that I have seen.

In answer to your question, you most certainly were presented with
a contract and clicked on 'I Agree'. Amongst the contract terms you
agreed to was not divulging your private key.

The issue is not whether you have a contract with the CA. Clearly
there is a contract since there was an offer, an agreement and
an exchange of a valuable consideration (certificates for moulah).

The legal pernickety issue the lawyers have fun with is what the
TERMS of that contract are and whether they are enforceable.


As for the absence of the NR bit option, I would not know the
reason VeriSign does not support it on the public CA. There are 
many reasons why a public CA is not likely to be offering it as 
an option at the moment. Not the least of these is the issue
of explaining the issue to a customer.

More generally however the key usage bits are a feature that is 
most likely to be of relevance in an enterprise environment, in
particular in conjunction with key recovery and dual key issue.
The VeriSign Class 1 and Class 2 public CAs are by no means not
the only hierachies we manage. Nor is the public Web interface 
the only interface to the Class 1 and Class 2 public hierarchies.


                Phill