Re: X.509 v3 Standard Extensions PDAM


Peter:

You said:
     the X.509 v3 Standard Extensions PDAM suggests that CA-certificate 
     represented keys may not be used other than for signing 
     certificates, CRLs, and on-line CRLs.
     
     (See KeyUsage ASN)
     
     When mailing revocation information to a CA, as in DMS P.48 CKL 
     procedures, it may be necessary to use the CAs signing key for 
     other usages/purposes - e.g. Key agreement.

I disagree.  In this case, the CA's certificate should contain more than 
one public key.  In fact, in DMS MOSAIC algorithm suite, the CA would use 
DSS for signing and KEA for key agreement.  Although these two algorithms 
could use the same public/private key pair, DMS is using separate key pairs 
for each algorithm.  The expectations is that KEA key pairs will have a 
shorter lifetime than DSS key pairs.

Russ

<Prev in Thread]	Current Thread	[Next in Thread>
X.509 v3 Standard Extensions PDAM, warwick (w.s.) ford Re: X.509 v3 Standard Extensions PDAM, Stephen Farrell Re: X.509 v3 Standard Extensions PDAM, Peter Williams Re: X.509 v3 Standard Extensions PDAM, Housley, Russ <= Re: X.509 v3 Standard Extensions PDAM, Peter Williams

Previous by Date:	re:Using X.500 lookup protocols for PEM, Mr Rhys Weatherley
Next by Date:	Re: Is secure communications required?, Donald E. Eastlake 3rd (Beast)
Previous by Thread:	Re: X.509 v3 Standard Extensions PDAM, Peter Williams
Next by Thread:	Re: X.509 v3 Standard Extensions PDAM, Peter Williams
Indexes:	[Date] [Thread] [Top] [All Lists]