Enzo,
My apologies for being unclear. Since I am not an attorney licensed to
practice law in Hong Kong, I of course cannot speak to the legalities of
using a cert/key with a signature-only key usage restriction for encryption
purposes. Though I suspect even an attorney meeting the above qualifications
could not answer with certainty which consequences the manufacturer of
signature-only devices might face should such devices be used for encryption
purposes. As a data point, to the best of my knowledge, the use of
signature-only keys for encryption purposes has not been tested in any court
of law anywhere on the planet. Which tends to mean that any claims as to
what the consequences of doing so would be are speculative at best.
(Long rant why relying on an application outside one's control to enforce
key usage is bound to fail omitted).
--Lucky Green <[EMAIL PROTECTED]>
"Anytime you decrypt: that's against the law".
Jack Valenti, President, Motion Picture Association of America in
a sworn deposition, 2000-06-06
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Enzo Michelangeli
> Sent: Wednesday, August 16, 2000 16:40
> To: Cryptography@C2. Net
> Subject: Re: Using signature-only certs to authenticate key exchanges
>
>
> Lucky (and Bill, in another message),
>
> My question was about the legal meaning, or, better, prevalent legal
> interpretation, of "signature-only key". I know how authenticated key
> exchange mechanisms work, and, on the other hand, Ron Rivest has
> shown that
> at least in principle there are other ways of achieving confidentiality by
> relying only on authentication primitives.
>
> This is not a purely academic issue. For example, in Hong Kong
> the import of
> cryptographic devices is exempted from import licensing (not a big hurdle,
> but an annoying bureaucratic procedure nevertheless) if they are
> "only used
> for authentication or digital signature":
>
> http://www.info.gov.hk/tid/faq/strategic1.htm#q23
>
> This effectively exempts things like signature-only smartcards and similar
> tokens.
>
> Cheers --
>
> Enzo
>
> ----- Original Message -----
> From: "Lucky Green" <[EMAIL PROTECTED]>
> To: "Cryptography@C2. Net" <[EMAIL PROTECTED]>
> Sent: Wednesday, August 16, 2000 4:00 PM
> Subject: RE: Using signature-only certs to authenticate key exchanges
>
>
> > Enzo,
> > Many applications that employ certs ignore key usage restrictions. This
> > isn't your fault or the fault of the CA. It simply reflects a 'broken'
> > implementation. IANAL, but I fail to see how you or your customers could
> be
> > held responsible for applications that use certs in ways other than the
> cert
> > was intended to be used by the issuer.
> [...]
>
>
>
>
>
