Re: key usage - key encipherment or data encipherment

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

Andrew Sciberras <andrewsciberras@xxxxxxxxx> writes:

>     The keyEncipherment bit is asserted when the subject public key is
>      used for key transport.  For example, when an RSA key is to be
>      used for key management, then this bit shall asserted.
>
>      The dataEncipherment bit is asserted when the subject public key
>      is used for enciphering user data, other than cryptographic keys.

Quoting that won't help (I've seen this sort of thing before) because as far
as the user is concerned what's being encrypted is data, so the valid bit to
use is dataEncipherment (quite logical to them).  What might help is to make
this more explicit in the text:

  The dataEncipherment bit is asserted when the subject public key is used for
  directly enciphering raw user data without the use of an intermediate
  symmetric cipher.  This bit MUST NOT be set when the intention is to
  encipher intermediate cryptographic keys rather than raw user data.

Peter.