Re: Authentication vs. binding signature, and ephemeral vs.permanent key usage

Hi Phill,

Thanks for the info. I have a few comments below.

[snip]
>
>As for the absence of the NR bit option, I would not know the
>reason VeriSign does not support it on the public CA. There are 
>many reasons why a public CA is not likely to be offering it as 
>an option at the moment. Not the least of these is the issue
>of explaining the issue to a customer.

I understand that educating a customer is not easy, but that means that a
customer may be agreeing to a TERM that he/she does not understand and/or agree
with. How many of your customers have really read your 100+ page CPS?

Does VeriSign set any of the KeyUsage bits? If yes, how would I know which ones
are set? Neither Netscape's or Microsoft's browsers' display very much
information about a certificate.

>
>More generally however the key usage bits are a feature that is 
>most likely to be of relevance in an enterprise environment, in
>particular in conjunction with key recovery and dual key issue.

I do not think that everyone agrees. I doubt that all your customers getting
certificates for S/MIME think they are strictly for "an enterprise environment".
In addition, I have not seen anyone state that they want their signing keys used
with any key recovery system.

>The VeriSign Class 1 and Class 2 public CAs are by no means not
>the only hierachies we manage. Nor is the public Web interface 
>the only interface to the Class 1 and Class 2 public hierarchies.

How do I find out about the other interfaces to your public hierarchies?

BTW, currently I can not get a certificate from VeriSign because I am using a
Macintosh computer running MS Explorer V4.0. This is per VeriSign tech support.

Regards,
Aram Perez
Apple Computer, Inc.