W3C home > Mailing lists > Public > www-xkms@w3.org > January 2005

Re: Question on Key usages and Attribute Certificate

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 27 Jan 2005 10:22:18 +0000
Message-ID: <41F8C0DA.4010406@cs.tcd.ie>
To: Seung-wook Jung <seung-wook.jung@uni-siegen.de>
Cc: www-xkms@w3.org


Hi,

XKMS can certainly support any applications which use
XAdES, and there are plenty of valid ways to do that.
Here's one from the archive of this list [1] from a
bit more than a year ago.

As to the rest of your mail: we clearly disagree as to
whether or not N-R is a sensible key usage: you think
it is, I don't - and that's fine, since we don't need
to agree!

The XKMS WG concensus, which is what matters here, is,
was always, and I guess will continue to be that N-R is
not treated as a key usage, and further, that the WG
will attempt to prevent people making the mistake of
thinking N-R is a key usage, by making it very hard to
extend key usage. Check the archives and meeting minutes
and you'll see repeated assertions to this effect.

You should also go check the archives of the PKIX list
to see just where you end up considering N-R as a
key usage (e.g. [2] is one of the many recurring threads
there over the years). Feel free to take that up on
the PKIX list if you like but this list is not the
appropriate place for such discussion.

Stephen.

[1] http://lists.w3.org/Archives/Public/www-xkms/2003Dec/0005.html
[2] http://www.imc.org/ietf-pkix/old-archive-01/thrd4.html#01025


Seung-wook Jung wrote:

> Dears, 
> 
> <stephen farrell wrote:>
> 
>>These three are afaik the only *cryptographically relevant*
>>key usages in widespread use.
> 
> 
>>We explicitly decided not to ever mention, nor conisder the N-R
>>thing. (Also note that x.509 is moving slowly that way too,
>>that bit will be called "contentCommitment" in future ITU-T
>>docs, whatever that means.)
> 
> 
>>Basically, we don't discuss N-R in XKMS. Its not a
>>cryptographic operation. See the many, many pkix mails
>>on this topic for why. If you still want to talk about
>>N-R, I'd suggest looking to the ABA or maybe the ETSI
>>group who believe in such things.
> 
> </stephen farrell wrote:>
> 
> IMHO, the standards must be extensible or generalized, it does not 
> limited only for widespread usage at this moment. 
> Also, the extensibility is a virtual of eXtensible Markup Language. 
> The key usage can be divided cryptographic service, mechanism, 
> and whatsoever according to the policy of organization. 
> In that sense, KeyUsageType in XKMS schema is too limited to be extensible or 
> too coarse-grained. 
>  
> <seung-wook jung wrote> 
> 
>>>How do you sure that any XKMS users will not sign over a
>>>hash value of a document, which says you give me 10000$, 
>>>rather than a random challenge by challenge-response protocol?
> 
> </seung-wook jung wrote> 
> 
> <stephen farrell answered:>
> 
>>That's not relevant for XKMS. Applications which care, must
>>care themselves. An xkms responder implementation/configuration
>>which cares, can do so without affecting the protocol, e.g. via
>>UseKeyWith or any other preferred mechanism (e.g. different
>>responder URLs or some ad-hoc implementation wizardry). In
>>any case, there's no way the xkms protocol can check or
>>enforce what the document signature covers - you just have
>>to depend on the application for that.
> 
> </stephen farrell answered:>
> 
> Of course, XKMS protocols itself cannot check or enforce what you can sign. 
> IMHO, XKMS should not be limited to only authentication with digital signature mechanism. 
> At the same time, XKMS should not consider all possible applications such as XAdES.
> Therefore, what I wanted to say was how the security whole can be made due to the coarse-grained 
> or un-extensible key usages. Also, coarse-grained and limited key usages makes ambiguous. 
> 
> IMHO, the keyusage includes N-R or extensible in order to more clarify usage of key 
> and make the key usage independent on applications according to policy of trust third party. 
> 
> Best Regards, 
> S. Jung
> 
> ==========================================================
> Seung-Wook Jung
> 
> University of Siegen
> - Institute for Data Communications Systems -
> 
> Hoelderlinstrasse 3
> D-57068 Siegen / Germany
> Phone:     +49-271-740-2332
> Fax:       +49-271-740-2536
> e-mail:    seung-wook.jung@uni-siegen.de
> URL:       http://www.dcs.uni-siegen.de
> ============================================================
Received on Thursday, 27 January 2005 10:22:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:43 UTC