At 12:39 PM -0400 6/5/09, Sean Turner wrote: >#1 Non-repudiation bit > >During the development of other profiles where the NR bit wasn't set, sometime after the profile gets developed I've usually gotten questions like "so you're not setting N-R can I use it for non-repudiation services?" To answer this question, I sometimes put text in that said yes you can (below). Maybe we should add something like this maybe in the security considerations? > >Note that setting keyCertSign, cRLSign, and digitialSignature also means >that the certificate could be used by applications that require >non-repudiation services for certificate, CRL, and content signing, >respectively. I disagree that this needs to be added, and I certainly don't think this qualifies as a security consideration. The draft already says (three times...) that the nonRepudiation bit MAY be set. >#5 Question: 4.2 Conversion Routine > >Aren't the conversion routines in SEC1 and ANSI X9.62 the same? 5480 >pointed to SEC1 because it was more readily available (online and free >versus online and not free for ANSI). Curious why you chose to point to >3279 and not 5480? 2.3.5 of 3279 points to 4.3.3 and 4.3.6 of ANSI >X9.62. 2.2 of 5480 points to 2.3.1 and 2.3.2 of SEC1G. If we don't >point to 3279 here and the next one, you could delete it as a reference. > That's a good question. It is good for us to point to free and easily-retrieved documents when possible. --Paul Hoffman, Director --VPN Consortium _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf