Re: Authentication vs. binding signature, andephemeralvs.permanent key usage

I agree with Bob.

The key usage bits are only defining the context. Other aspects has to be
handled
by the certificate policy, optionally combined by some other statements in the
certificate.

I encourage you to study the new candidate work item concerning a profile
for certificates aimed to support digital signatures for legal acceptance.
In this new context there are room for discussing more policy related
issues as a base context for the profile.

/Stefan


At 04:36 PM 8/27/98 -0600, Bob Jueneman wrote:
>>>     4) How is the private key involved? What happens if the corresponding
>>> certificate has the NR bit set but I use the private key to sign an
ephemeral
>>> object? Ditto for having the NR bit NOT set but I use the private key
to do a
>>> "conscious" signature?
>
>>If the extension is "critical" and the key is not used in a manner
>>appropriate to its indication, the processing application (recipient)
>>should reject the transaction.
>
>-- 
>David Simonetti, Booz·Allen & Hamilton Inc.
>
>Whoa!
>
>Let's think about that a second.
>
>Granted, the Critical bit ought to mean more than simply recognizing the
syntax -- there 
>is clearly some semantic understanding and validation that is required.
>
>But would we really expect a conforming application to recognize when an
object is
>ephemeral??  Or when a NR bit was set and the document appears to be more
like 
>a doodle or a draft than a final contract??
>
>Think about this from the standpoint of the API for a second -- the
decision as to whether 
>accept a certificate is going to be made by the operating system or PKI
subsystem.
>
>Is the application going to be required to reparse and revalidate the
certificate itself,
>and then stare at its own navel and try to figure out what the human
behind the 
>application is trying to do?  Pretty clever application!
>
>Isn't that asking an awful lot, given the fact that the people who wrote
the spec 
>can't even figure out what the bit means? :-)
>
>Bob
>
>
>
-------------------------------------------------------------------
Stefan Santesson                <stefan@xxxxxxxxxxx>
Accurata Systemsäkerhet AB     
Lotsgatan 27 D                  Tel. +46-40 152211              
216 42  Malmö                   Fax. +46-40 150790              
Sweden                        Mobile +46-70 5247799

PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------