Blake,
I believe that my comment is appropriate. I believe that X.509 and PKIX
clearly state the requirements to check the keyUsage encipherOnly and
decipherOnly bits when the keyUsage keyAgreement bit is set to 1 and the
public key is to be used to either decrypt or encrypt data directly. I
believe that people will wonder how that rule applies when using the public
key to form a pairwise key to be used to encrypt or decrypt data. That is
where my proposed text would clarify the requirements.
My proposed text is not unique to D-H. It is applicable in any scenario in
which the keyUsage keyAgreement bit is set to 1 and the public key is to be
used to form a pairwise key (this includes KEA in addition to the variants
of D-H). The S/MIME software doesn't need to make a special check of the
subjectPublicKeyInfo algorithmIdentifier just so that it knows to make my
proposed keyUsage check. The S/MIME software will already know that a
pairwise key is required based on the subjectPublicKeyInfo
algorithmIdentifier. It will already be executing the code required to
generate a pairwise key. In that code, the check could be made, so there is
not an added, special check of the algorithmIdentifier just to indicate that
the keyUsage encipherOnly and decipherOnly bits must be checked.
By the way, here is text that was proposed for addition to the X.509 spec,
but I am not sure of the status of that change proposal: "The encipherOnly
and decipherOnly key usages are intended to provide support for key
agreement schemes where separate shared secret keys are used in each
direction of communication. In such a scheme, a user has more than one set
of key pairs and bits 7 (encipherOnly) and 8 (decipherOnly) are used to
distinguish between the two types. The originator of a message would use
the recipient's public key certificate with bits 4 (keyAgreement) and 7
(encipherOnly) to create a key encryption key. The recipient would use the
originator's certificate with bits 4 (keyAgreement) and 8 (decipherOnly) to
create the key encryption key. Typically the originator would pass his or
her own certificate with bits 4 and 8 along with the message."
If the WG believes that my proposal is redundant to X.509 and PKIX then I
will go along with that. Jim said he liked it, so that alone makes it all
worthwhile:)
- John Pawling