Blake,
Used with Triple-DES as a symmetric algorithm, a certificate is suitable
for encrypting a message iff:
1. The SubjectPublicKeyInfo AlgorithmIdentifier is rsaEncryption and the
keyUsage bit "keyEncipherment" is set (or keyUsage is not present).
2. The SubjectPublicKeyInfo AlgorithmIdentifier is dhpublicnumber and
the keyUsage bit "keyAgreement" is 1 and "decipherOnly" is 0 (or
keyUsage is not present, God Help you).
You could just as well add:
3. The SubjectPublicKeyInfo AlgorithmIdentifier is keyExchangeAlgorithm
(KEA) and the keyUsage bit "keyAgreement" is 1 and decipherOnly" is 0 (or
keyUsage is not present).
There may be others that you could add as well.
Does the encipherOnly bit need to be checked at all? Isn't our use of
Diffie-Hellman limited to "forming a pairwise key to encrypt data"?
D-H is used by the originator to form a pairwise key (originator's private,
recipient's public) to encrypt the session key used to encrypt the data.
D-H is used by the recipient to form a pairwise key (originator's public,
recipient's private) to decrypt the session key used to decrypt the data.
The encipherOnly bit is checked during decryption (of course:). My original
proposal is repeated here for your convenience:
11) Sec 4.4.2, last para: Please add: "If the keyUsage keyAgreement bit is
set to 1 AND if the public key is to be used to form a pairwise key to
decrypt data, then the S/MIME agent MUST only use the public key if the
keyUsage encipherOnly bit is set to 0. If the keyUsage keyAgreement bit is
set to 1 AND if the key is to be used to form a pairwise key to encrypt
data, then the S/MIME agent MUST only use the public key if the keyUsage
decipherOnly bit is set to 0."
Blake (Diffie-Hellman impaired)
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103 Fax +1 425 882 8060