Re: Authentication vs. binding signature, and ephemeral vs.permanent key usage

Hi Phil,

[snip]
>> >More generally however the key usage bits are a feature that is 
>> >most likely to be of relevance in an enterprise environment, in
>> >particular in conjunction with key recovery and dual key issue.
>> 
>> I do not think that everyone agrees. I doubt that all your 
>> customers getting
>> certificates for S/MIME think they are strictly for "an 
>> enterprise environment".
>
>That is not what I said. I was referring to the key usage bits,
>not S/MIME. I would not expect the general public to be the 
>first community of S/MIME users to demand support for the
>key usage bits.
>
>> In addition, I have not seen anyone state that they want their 
>> signing keys used
>> with any key recovery system.
>
>No. But unless a customer is using a key recovery system the
>incentive to use separate signing and encryption keys is not
>as great.

I disagree, see below.

>
>A user of a key recovery system would be very likely to want to
>set the key usage bit 'NR' in their signing cert and clear it
>in their encryption cert.
>
>Indeed the motivation for having the key usage bits comes from
>not wanting to escrow signing keys.

I'm afraid I strongly disagree. There are plenty of security reasons for NOT
having one key pair that does key exchange, data encryption and signing. I've
stated a few in previous postings and so have other people.

Regards,
Aram Perez
Apple Computer, Inc.