ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Key usage. No, wait, *extended* key usage

1998-02-05 14:24:39
from [Blake Ramsdell] [Permanent Link] 
On Thursday, February 05, 1998 9:24 AM, jsp(_at_)jgvandyke(_dot_)com
[SMTP:jsp(_at_)jgvandyke(_dot_)com] wrote:

In an earlier message, I recommended that the S/MIME v3 Cert Handling

I-D,


Sec 4.2, 1rst para should be modified as follows:  Please add "as per
[KEYM]" to "Certificate, CRL, and chain validation MUST be

performed...".

If this comment is incorporated, then I believe that the S/MIME Cert

I-D

doesn't need to discuss the vast majority of the keyUsage checks that

you

list in your message because it will refer to the PKIX X.509 Cert and

CRL

Profile which provides sufficient info for the implementor to

determine

which keyUsage bits need to be checked in most of the situations that

you

describe in your message.  


I forgot about this, and I have since added it to the editing pile.  I
paraphrased this as "PKIX part 1 rules apply" in my last message.


The only keyUsage-related text that I believe is appropriate for
inclusion
in the S/MIME Cert Spec is:  "Prior to verifying the signature of an
S/MIME
message, if the keyUsage extension is present in the signer's

certificate

and is indicated as being critical, then the verifying software MUST
ensure
that the nonRepudiation bit is set to 1."


Don't we need to explain the keyUsage field for sending an encrypted
message?  It seems that on an outbound message:  "Prior to creating and
encrypted content key for an S/MIME message, if the keyUsage extension
is present in the encrypting certificate and is indicated as being
critical, then the encrypting software MUST ensure that that the
keyEncipherment bit is set to 1."


I agree with your suggestion to add wording like:  "Prior to using the
public key included in a certificate to support S/MIME security

services,

if
the extendedKeyUsage extension is present in the certificate and is
indicated as being critical, then the S/MIME software MUST ensure that
the
id-kp-emailProtection OID is present.  This check is only required for
the
end-entity certificates."


OK.

What about the criticality flags?  Is the only case where we check the
keyUsage when the criticality for the extension is set to 1?  I think it
should always be checked, regardless of its criticality.

Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103  Fax +1 425 882 8060
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Key usage. No, wait, *extended* key usage, John Pawling
Next by Date:  RE: Key usage. No, wait, *extended* key usage, John Pawling
Previous by Thread:  Re: Key usage. No, wait, *extended* key usage, John Pawling
Next by Thread:  RE: Key usage. No, wait, *extended* key usage, John Pawling
Indexes:  [Date] [Thread] [Top] [All Lists]