Peter:
You said:
the X.509 v3 Standard Extensions PDAM suggests that CA-certificate
represented keys may not be used other than for signing
certificates, CRLs, and on-line CRLs.
(See KeyUsage ASN)
When mailing revocation information to a CA, as in DMS P.48 CKL
procedures, it may be necessary to use the CAs signing key for
other usages/purposes - e.g. Key agreement.
I disagree. In this case, the CA's certificate should contain more than
one public key. In fact, in DMS MOSAIC algorithm suite, the CA would use
DSS for signing and KEA for key agreement. Although these two algorithms
could use the same public/private key pair, DMS is using separate key pairs
for each algorithm. The expectations is that KEA key pairs will have a
shorter lifetime than DSS key pairs.
Russ