On Tuesday, March 24, 1998 5:11 AM, jsp(_at_)jgvandyke(_dot_)com
[SMTP:jsp(_at_)jgvandyke(_dot_)com] wrote:
My recommended text regarding the keyUsage encipherOnly and
decipherOnly
bits defines how those bits should be used when the public key is
being
used
to form a pairwise key. The X.509 and PKIX specs are not crystal
clear
regarding that point. Furthermore, I believe that the X.509 and PKIX
specs
are clear regarding the use of the other keyUsage bits, so IMHO the
S/MIME
cert spec doesn't need to say anything about those bits.
Got it.
<begin slight rant>
Why is it that we have to be semantically exact in the keyUsage for
Diffie-Hellman? For RSA encrypting certificates, we use the
keyEncipherment bit to reflect a certificate "that can be used to
encipher a key" (the protected symmetric key in the RecipientInfo). In
the case of Diffie-Hellman, a certificate used for the exact same
semantic (protecting the symmetric key in the RecipientInfo) has
different bits set. In order to make a decision regarding the
suitability of a certificate for the purpose of encrypting a message,
you must now take into account both the keyUsage and the
AlgorithmIdentifier that identifies the type of the public key.
<end slight rant>
Perhaps I don't understand this well enough. Any enlightening words
welcome.
Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103 Fax +1 425 882 8060