search

bcrypto / bpki

A public key infrastructure profile
8 stars 0 forks source link

Биты nonRepudation, digitalSignature, keyCertSign в KeyUsage #24

Closed agievich closed 6 years ago

agievich commented 6 years ago

В CommonPKI читаем:

In April 2004 the ITU-T working group on X.509 renamed – without affecting its semantics – bit 1 of the KeyUsage extension to contentCommitment and declared the previous identifier nonRepudiation as being deprecated. The semantics of signature related key usage bits was clarified by ITU-T X.509 as follows:

  • digitalSignature: for verifying digital signatures that are used with an entity authentication service, a data origin authentication service or/and an integrity service.
  • contentCommitment: for verifying digital signatures which are intended to signal that the signer is committing to the content being signed. The type of commitment the certificate can be used to support may be further constrained by the CA, e.g. through a certificate policy. The precise type of commitment of the signer e.g. "reviewed and approved" or "with the intent to be bound", may be signalled by the content being signed, e.g. the signed document itself or some additional signed information. Since a content commitment signing is considered to be a digitally signed transaction, the digitalSignature bit need not be set in the certificate. If it is set, it does not affect the level of commitment the signer has endowed in the signed content.
  • keyCertSign: for verifying a CA's signature on certificates. Since certificate signing is considered to be a commitment to the content of the certificate by the CA, neither the digitalSignature bit nor the contentCommitment bit need be set in the certificate. If either (or both) is set, it does not affect the level of commitment the signer has endowed in the signed certificate.

Мы остаемся (вместе с СТБ 34.101.19) на позициях PKIX и не меняем nonRepudation на contentCommitment. Но что делать с остальными правилами? Например, должны ли мы выключать digitalSignature при включении nonRepudation?

pavlovkv commented 6 years ago

Считаю, что наша таблица (кроме бага с ЦАСом) является верной. Мы всегда включаем digitalSignature при включении nonRepudation. И на мой взгляд это верно. nonRepudation как бы расширяет/дополняет digitalSignature. Но не наоборот.

agievich commented 6 years ago

Исправлены флаги ЦАС. В связи с появлением агентов снят флаг digitalSignature у РУЦ и ПУЦ (см. #7).