pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: X.509 v3 Standard Extensions PDAM

1995-02-01 17:08:00
from [solo] [Permanent Link] 

Peter,

I read the PDAM very differently.  The attribute KeyUsage associated
with the primary key (or secondary key) is "for use in finding
the correct key/certificate of a user who has multiple keys/
certificates.  It is an advisory field and does not imply
usage of the key is restricted to the purpose indicated."  (12.2.2.2)

If a CA has a single cert/key for an algorithm, then this
field is absent and the CA can use the key/cert for
signing certs and for email, authentication, etc.  If the
CA has two different certs/keys - one for each purpose the
CA can still perform the needed functions.  I'm not sure
what problem you're describing.

My understanding of the primaryKeyUsageRestriction is to
control how all keys within a portion of the hierarchy are
used.  In this context, I assume the types of restriction
are more policy related in terms of the context of the
information/transaction handled than associated with
the types of restriction in keyUsage.

Dave



Date:    Mon, 30 Jan 95 17:43:16 PST
From:    Peter Williams <williams(_at_)atlas(_dot_)arc(_dot_)nasa(_dot_)gov>
Subject: Re: X.509 v3 Standard Extensions PDAM



the X.509 v3 Standard Extensions PDAM suggests that CA-certificate
represented keys may not be used other than for signing certificates,
CRLs, and on-line CRLs.

(See KeyUsage ASN)

When mailing revocation information to a CA, as in DMS P.48 CKL
procedures, it may be necessary to use the CAs signing key for other
usages/purposes - e.g. Key agreement.

The KeyUsage specification text suggests the use of CA keys for only
CAKeyUsage purposes, which doesnt include the above purpose.

More generally,

The mail-based control procedures used between a CA subscriber and a CA
during certificate issuance may well entail the transfer of
registration details and/or instructions to the subscriber, whose
nature requires the information to be maintained private. In a
store-and-forward security environment, there is definite need to use
CA keys for key exchange or key agreement to facilitate such services.

the PDAM suggests that CAs must issue subordinate CAs an end-entity
certificate to account for these functions, currently.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: X.509 v3 Standard Extensions PDAM, Peter Williams
Next by Date:  Re: Is secure communications required?, Jueneman
Previous by Thread:  Re: X.509 v3 Standard Extensions PDAM, Peter Williams
Next by Thread:  Re: X.509 v3 Standard Extensions PDAM, solo
Indexes:  [Date] [Thread] [Top] [All Lists]