Generally, good cryptographic practice employs a given RSA key pair
in only one scheme. This practice avoids the risk that vulnerability
in one scheme may compromise the security of the other, and may be
essential to maintain provable security. While PKCS #1 Version 1.5
[PKCS#1v1.5] has been employed for both key transport and digital
signature without any known bad interactions, such a combined use of
an RSA key pair is not recommended in the future. Therefore, an RSA
key pair used for RSAES-OAEP key transport should not also be used
for other purposes.
Does "other purposes" here mean "signing" or "other types of key transport"?
The comparison with PKCS #1 v1 seems to imply "signing", but it could also be
interpreted to mean PKCS #1v1 vs. PKCS #1v2 key transport... I could see that
the latter might lead to problems when you're communicating with existing
implementations, or a mixture of old and new.
Peter.