Key usage bits 0 and 1
Denis Pinkas <Denis.Pinkas@bull.net> Mon, 17 March 2003 15:48 UTC
Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA17805 for <pkix-archive@lists.ietf.org>; Mon, 17 Mar 2003 10:48:04 -0500 (EST)
Received: (from majordomo@localhost) by above.proper.com (8.11.6/8.11.6) id h2HF6jR12306 for ietf-pkix-bks; Mon, 17 Mar 2003 07:06:45 -0800 (PST)
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.11.6/8.11.6) with ESMTP id h2HF6dg12297 for <ietf-pkix@imc.org>; Mon, 17 Mar 2003 07:06:41 -0800 (PST)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id QAA20588; Mon, 17 Mar 2003 16:08:52 +0100
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id PAA25143; Mon, 17 Mar 2003 15:02:29 +0100
Message-ID: <3E75E460.9000906@bull.net>
Date: Mon, 17 Mar 2003 16:06:08 +0100
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>, Tim Polk <wpolk@nist.gov>
CC: Stephen Kent <kent@bbn.com>, Russ Housley <housley@vigilsec.com>, Steve Bellovin <smb@research.att.com>, Jeff Schiller <jis@mit.edu>
Subject: Key usage bits 0 and 1
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h2HF6ig12303
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 8bit
To Tim Polk and the WG, Sorry, this is a long e-mail. On February 27, 2003, I sent the following message to the co-chairs: **************************************************************************** Dear co-chairs, In the light of a Defect Report (n° 299) addressed by ISO SC 6 in London, I have noticed that a MAJOR change has been done between RFC 2459 and RFC 3280 about the interpretation of the DS and the NR bits. As far as I remember, I do not remember that this point has ever been discussed or mentioned on the mailing list. I will thus appreciate that you confirm this or point me about some e-mail exchanges where this point has been presented, explained and debated. Otherwise, to a summary of the changes that explains that point. Thanks, Denis **************************************************************************** On the same day I received a response from Tim Polk: **************************************************************************** Denis, [Tim] I am sure it was discussed on the list. I do not know when; it was some time ago. I believe that change occurred early in son-of-2459. [Denis] No. I still have most versions. The same text (identical to RFC 2459) was present from version new-part1-00.doc till version new-part1-12.doc, this means between 29 October 1999 and 25 January 2002, i.e. during 15 months. Then the change occured when the document was split into two parts and became new-part1-asn1-00.doc on 25 April 2002. So if you want to look for discussions it may only be between January 2002 and April 2002. I looked that time frame and there is not a single message on that topic. I remember that we got the message: "no change" except a clean split between algorithms and the rest of the document. So awaiting your own searches ... (...) [Tim] (...) I cannot do any research on it today. I will try to identify the version of the I-D where the change occurred and the discussion next week. With a little luck, I will send you the reference(s) Tuesday or Wednesday. If you need faster action, the messages should appear in the email archive. That is a lot of mail to look through, though. **************************************************************************** Then on March 12, 2003 I sent the following e-mail: **************************************************************************** Dear co-chairs, On Februray 27, I sent the following message to you: ========================================================================== In the light of a Defect Report (n° 299) addressed by ISO SC 6 in London, I have noticed that a MAJOR change has been done between RFC 2459 and RFC 3280 about the interpretation of the DS and the NR bits. As far as I remember, I do not remember that this point has ever been discussed or mentioned on the mailing list. I will thus appreciate that you confirm this or point me about some e-mail exchanges where this point has been presented, explained and debated. Otherwise, to a summary of the changes that explains that point. ========================================================================== On March 5, I send a remainder to both of you. On March 11, I sent a second remainder to both of you. I have received no response at all, since then. This matter is very important for me, and thus I am awaiting a response BEFORE the PKIX meeting. This matter is also related to the proposed revision of RFC 3039, for which I am not convinced that a revision is needed. This time I am copying Russ, as a co-editor of RFC 3280. He might be able to provide a response. I am also copying the two Security Area Directors. Regards, Denis **************************************************************************** On May 15, 2002 I sent the following message to the list: **************************************************************************** After taking a few days off, I have analyzed the storm of the e-mail exchanges on that topic. The core of the problem is that some people, by claiming requesting some "clarifications" on these two bits, would like to change their semantics. :-( The roadmap provides a good summary of what happened in the past: (...) many discussions were needed to arrive at a common agreement on the meaning of the digitalSignature (DS bit) and nonRepudiation (NR bit) bits and when they should be set. The group quickly realized that key usage extension mixes services and mechanisms. The DS bit indicates a mechanism - a public key used to verify a digital signature. The NR bit indicates a service - a public key used to verify a digital signature and to provide a non- repudiation service. When trying to indicate when each bit should be indicated arguments were based on: The lifetime of the object being singed. Some felt that the DS bit should be set when the certificate is used to sign ephemeral objects (e.g., bind tokens) while the NR bit should be set for things that are survive longer (e.g., documents). Of course, the problem with this distinction to determine how long is the time period for ephemeral? A conscious act taken by the signer. Many felt that the NR bit should be set only when the subject has expressly acknowledged that they want to use the private key to sign an object. Signing a document say where there is a conscious decision by the subject would be appropriate for the key usage extension to contain NR, but when the key is used for authentication purposes, which can occur automatically and more frequently, the DS bit is more appropriate. The discussion also concluded that since some authentication schemes occur automatically, that the DS bit and NR bit should never be set together in the same certificate. Some agreed to the differentiation of the bits based on the time, but did not agree that the two could not be in the same key usage extension. The procedures followed by the CA. Some felt that NR bit was kind of 'quality mark' indicating to the verifier that the verifier could be assured that the CA is implementing appropriate procedures for checking the subject's identity, performing certificate archival, etc. Other felt that it was not entirely the CAs job and that some other entity must be involved. In the end the WG agreed to a few things: - Provision of the service of non-repudiation requires more than a single bit set in a PKC. It requires an entire infrastructure of components to preserve for some period of time the keys, PKCs, revocation status, signed material, etc., as well as a trusted source of time. However, the nonRepudiation key usage bit is provided as an indicator that such keys could be used as a component of a system providing a non-repudiation service. - The certificate policy is the appropriate place to indicate the permitted combinations of key usages. That is, a policy may indicate that the DS and NR bits can not be set in the same certificate while another may say that the DS and NR bits can be set in the same certificate. [2459bis] includes new text indicating the above agreements. In addition to these explanations I would like to quickly reply to Sharon to say her that I disagree (as others) when she says that the only meaning of the NR bit is to say that the CA has no knowledge of the value of the private key. This would rule out CAs generating key pairs and would not be backward compatible with the current meaning. Now let us attempt to CLARIFY the meaning. David Kemp offered good explanations on these two bits: DS bit: the key is used to sign data, nonces or challenges that can be verified in real-time (entity authentication and data origin authentication services). NR bit: the key is used to sign data that can be verified at a later time (non–repudiation service). I would offer these additional explanations: When the DS bit (bit 0) is set, this means that the private key MAY have been used in an environment that is not fully controlled by the private key holder. In practice, this means that private keys related to certificates that have the DS bit set, will be used for entity authentication (e.g. signing challenges or nonces) or for data origin authentication (signing data that has not necessarily been reviewed). Since the environment is not fully controlled by the private key holder, the private key holder COULD deny that his key was used to sign a transaction, because he could claim that he was believing that his private key was used in an authentication process. Some authorities (like CRL Issuers) can sign by using a key related to a certificate that only has the DS bit set because they always chose what they sign and will never use that same key in an authentication exchange. When the NR bit (bit 1) is set, this means that the private key holder will only use its private key in an environment that he can control and which allows him to be confident of the data that is being effectively signed. The signer cannot claim that he was believing that his private key was simply used in an authentication process that he could not control. Denis **************************************************************************** Now, I did a search in my archives and I have a file named: <draft-ietf-pkix-new-part1-12.txt> from January 2002. It was recorded on January 25, 2002. It has the following text in it: The digitalSignature bit is asserted when the subject public key is used with a digital signature mechanism to support security services other than non-repudiation (bit 1), certificate signing (bit 5), or CRL signing (bit 6). Digital signature mechanisms are often used for entity authentication and data origin authentication with integrity. I have found an e-mail from the RFC editor dated from May 10, 2002: That e-mail says: A new Request for Comments is now available in online RFC libraries. RFC 3280 Title: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Author(s): R. Housley, W. Polk, W. Ford, D. Solo Status: Standards Track Date: April 2002 Mailbox: rhousley@rsasecurity.com, wford@verisign.com, wpolk@nist.gov, dsolo@alum.mit.edu Pages: 129 Characters: 295556 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-pkix-new-part1-12.txt However, the file named draft-ietf-pkix-new-part1-12.txt is faily different from draft-ietf-pkix-new-part1-12.txt since the text above has been changed in the following way: The digitalSignature bit is asserted when the subject public key is used with a digital signature mechanism to support security services other than certificate signing (bit 5), or CRL signing (bit 6). Digital signature mechanisms are often used for entity authentication and data origin authentication with integrity. This is quite strange that two texts with the same name have different contents. Maybe the rfc-editor couild explain ? **************************************************************************** I wanted to inform the list that I am still awaiting a response from Tim, as co-editor of RFC 3280 and as co-chair of the PKIX WG (the responses may be different). For the time being, RFC 3280 is NOT backward compatible with RFC 2459 and is not compatible either with X.509. I would like that point to be mentioned at the next PKIX WG meeting. Regards, Denis
- Key usage bits 0 and 1 Denis Pinkas