ietf-smime
[Top] [All Lists]

Key usage. No, wait, *extended* key usage

1998-02-05 01:59:14
Hmm.  From PKIX part 1:

] 4.2.1.14  Extended key usage field
]
] This field indicates one or more purposes for which the certified
] public key may be used, in addition to or in place of the basic
] purposes indicated in the key usage extension field.  This field is
] defined as follows:

Anyone want to take a stab about what action we should take about this
for S/MIME?  This extension is a new one to me...

I should pay more attention in class.

<Grunt, groan.  Putting on my flame retardant suit that seems to have
shrunk.>

I think our cryptographic use of X.509 certificates falls into four
cases.  Someone chime in if there are more:

1. Encrypting a message
2. Verifying a signature for a message
3. Verifying a signature of a certificate
4. Verifying a signature of a CRL

For verifying a signature, the keyUsage extension (if present) MUST have
the nonRepudiation bit set.  No other bit is required to be set for an
S/MIME signature verification certificate, and no other bit needs to be
checked when determining the suitability of a certificate for verifying
an S/MIME signature.

For encrypting a message, the keyUsage extension (if present) MUST have
the keyEncipherment bit set.  No other bit is required to be set for an
S/MIME encrypting certificate, and no other bit needs to be checked when
determining the suitability of a certificate for encrypting an S/MIME
message.

For verifying a signature of a certificate, PKIX part 1 rules apply.  I
presume that this means that exactly the keyCertSign bit must be set,
and no other bit needs to be checked...  You know the drill.

For verifying a signature of a CRL (sorry, cRL), PKIX part 1 rules
apply.  I presume that this means that exactly the cRLSign bit must be
set, and no other bit needs to be checked...  Yadda yadda.  I mean that
sincerely.

What to do about extendedKeyUsage?  Do we require that
id-kp-emailProtection MUST be set if extendedKeyUsage is present,
otherwise don't use the certificate?  This object identifier seems to
apply to us.

Guidance appreciated.

<someone help me out of this suit>

Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103  Fax +1 425 882 8060