"Carl Ellison" <[EMAIL PROTECTED]> writes: >>Ah. That's why they're trying to rename the corresponding keyUsage bit >>to "contentCommitment" then: > >Maybe, but that page defines it as: > >contentCommitment: for verifying digital signatures which are intended to >signal that the signer is committing to the content being signed. The >precise level of commitment, e.g. "with the intent to be bound" may be >signaled by additional methods, e.g. certificate policy.
This refers to the second (and IMHO more sensible) use of the X.509 nonRepudiation bit, which uses digitalSignature for short-term signing (e.g. user authentication) and nonRepudiation for long-term signing (e.g. signing a document). The other definition uses digitalSignature for everything, and nonRepudiation as an additional service on top of digitalSignature. The problem with that definition is that no two people in the X.509 world can agree on what nonRepudiation actually signifies. The best suggestion I've seen for the nonRepudiation bit is that CAs should set it to random values to disabuse users of the notion that it has any meaning. For the "additional-service" definition of nonRepudiation, the X.509 Style Guide says: Although everyone has their own interpretation, a good practical definition is "Nonrepudiation is anything which fails to go away when you stop believing in it". Put another way, if you can convince a user that it isn't worth trying to repudiate a signature then you have nonrepudiation. This can take the form of having them sign a legal agreement saying they won't try to repudiate any of their signatures, giving them a smart card and convincing them that it's so secure that any attempt to repudiate a signature generated with it would be futile, threatening to kill their kids, or any other method which has the desired effect. One advantage (for vendors) is that you can advertise just about anything as providing nonrepudiation, since there's sure to be some definition which matches whatever it is you're doing (there are "nonrepudiation" schemes in use today which employ a MAC using a secret shared between the signer and the verifier, which must be relying on a particularly creative definition of nonrepudiation). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]