As it stands right now, I am putting the language in -CERT as Russ has
presented it:
S/MIME receiving agents MUST NOT accept the signature of a message
if it was verified using a certificate which contains the keyUsage
extension without either the digitalSignature or nonRepudiation bit
set.
Sometimes S/MIME is used as a secure message transport for
applications beyond interpersonal messaging. In such cases, the
S/MIME-enabled application can specify additional requirements
concerning the digitalSignature or nonRepudiation bits within the
keyUsage certificate extension.
I believe that this is not contrary to any of the opinions voiced so far
about nonRepudiation semantics, and it does a fine job of offloading the
actual meaning and interpretation of this bit to good ol' "application
defined behavior".
Blake
--
Blake Ramsdell | Brute Squad Labs | http://www.brutesquadlabs.com