Key usage. No, wait, *extended* key usage
1998-02-05 01:59:14
Hmm. From PKIX part 1:
] 4.2.1.14 Extended key usage field
]
] This field indicates one or more purposes for which the certified
] public key may be used, in addition to or in place of the basic
] purposes indicated in the key usage extension field. This field is
] defined as follows:
Anyone want to take a stab about what action we should take about this
for S/MIME? This extension is a new one to me...
I should pay more attention in class.
<Grunt, groan. Putting on my flame retardant suit that seems to have
shrunk.>
I think our cryptographic use of X.509 certificates falls into four
cases. Someone chime in if there are more:
1. Encrypting a message
2. Verifying a signature for a message
3. Verifying a signature of a certificate
4. Verifying a signature of a CRL
For verifying a signature, the keyUsage extension (if present) MUST have
the nonRepudiation bit set. No other bit is required to be set for an
S/MIME signature verification certificate, and no other bit needs to be
checked when determining the suitability of a certificate for verifying
an S/MIME signature.
For encrypting a message, the keyUsage extension (if present) MUST have
the keyEncipherment bit set. No other bit is required to be set for an
S/MIME encrypting certificate, and no other bit needs to be checked when
determining the suitability of a certificate for encrypting an S/MIME
message.
For verifying a signature of a certificate, PKIX part 1 rules apply. I
presume that this means that exactly the keyCertSign bit must be set,
and no other bit needs to be checked... You know the drill.
For verifying a signature of a CRL (sorry, cRL), PKIX part 1 rules
apply. I presume that this means that exactly the cRLSign bit must be
set, and no other bit needs to be checked... Yadda yadda. I mean that
sincerely.
What to do about extendedKeyUsage? Do we require that
id-kp-emailProtection MUST be set if extendedKeyUsage is present,
otherwise don't use the certificate? This object identifier seems to
apply to us.
Guidance appreciated.
<someone help me out of this suit>
Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103 Fax +1 425 882 8060
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Key usage. No, wait, *extended* key usage,
Blake Ramsdell <=
- Re: Key usage. No, wait, *extended* key usage, John Pawling
- Re: Key usage. No, wait, *extended* key usage, David P. Kemp
- Re: Key usage. No, wait, *extended* key usage, John Pawling
- RE: Key usage. No, wait, *extended* key usage, Blake Ramsdell
- RE: Key usage. No, wait, *extended* key usage, John Pawling
- RE: Key usage. No, wait, *extended* key usage, Blake Ramsdell
- RE: Key usage. No, wait, *extended* key usage, Blake Ramsdell
- Re: Key usage. No, wait, *extended* key usage, David P. Kemp
|
|
|