the X.509 v3 Standard Extensions PDAM suggests that CA-certificate
represented keys may not be used other than for signing certificates,
CRLs, and on-line CRLs.
(See KeyUsage ASN)
When mailing revocation information to a CA, as in DMS P.48 CKL
procedures, it may be necessary to use the CAs signing key for other
usages/purposes - e.g. Key agreement.
The KeyUsage specification text suggests the use of CA keys for only
CAKeyUsage purposes, which doesnt include the above purpose.
More generally,
The mail-based control procedures used between a CA subscriber and a CA
during certificate issuance may well entail the transfer of
registration details and/or instructions to the subscriber, whose
nature requires the information to be maintained private. In a
store-and-forward security environment, there is definite need to use
CA keys for key exchange or key agreement to facilitate such services.
the PDAM suggests that CAs must issue subordinate CAs an end-entity
certificate to account for these functions, currently.