Trying to put this into S/MIME context it seems that Diffie-Hellman keys may
only be used in the way suggested by Russ Housley, i.e. for each recipient to
take recipient's Diffie-Hellman certificate (key agreement certificate), get
the public key from there, generate a shared key (Russ suggested 3DES) and use
it to encrypt the content-encryption key.
However, another possibility is to use El-Gamal algorithm with Diffie-Hellman
keys and encrypt the content-encryption key directly with recipients
Diffie-Hellman public key. This would be a very similar operation as if the
recipient had RSA keys and keyEnchipherment certificate. This seems to be a
much better way of using Diffie-Hellman keys, similar to the way RSA keys are
used for keys encryption (unless I have missed some point here).
If you use the key this way then it's no longer DH but Elgamal, with its own
algorithm/object identifiers and usage requirements. For example some
generators which are OK for Elgamal encryption aren't secure for Elgamal
signatures, so if you've got DH-pretending-to-be-Elgamal (which PGP does, for
example) you can't just use it as if it were Elgamal. If you want to use a
key for Elgamal encryption/signatures, you should really call it Elgamal, and
not take a DH key and use it for something it was never designed for.
(If you want to get really nitpicky, there are actually three different
algorithms which use keys which look more or less the same: DH (key
exchange), Elgamal encryption == DH-Vernam encryption (encryption), and
Elgamal signatures (signature). It'd be nicer to actually call it Elgamal
rather than overload DH further and further)
Peter.