Re: key usage - key encipherment or data encipherment

["Wen-Cheng Wang" <wcwang@xxxxxxxxxx>]

Peter Gutmann <pgut001@xxxxxxxxxxxxxxxxx> wrote:
> Andrew Sciberras <andrewsciberras@xxxxxxxxx> writes:
>
> >     The keyEncipherment bit is asserted when the subject public key is
> >      used for key transport.  For example, when an RSA key is to be
> >      used for key management, then this bit shall asserted.
> >
> >      The dataEncipherment bit is asserted when the subject public key
> >      is used for enciphering user data, other than cryptographic keys.
>
> Quoting that won't help (I've seen this sort of thing before) because as far
> as the user is concerned what's being encrypted is data, so the valid bit to
> use is dataEncipherment (quite logical to them).  What might help is to make
> this more explicit in the text:
>
>  The dataEncipherment bit is asserted when the subject public key is used for
>  directly enciphering raw user data without the use of an intermediate
>  symmetric cipher.  This bit MUST NOT be set when the intention is to
>  encipher intermediate cryptographic keys rather than raw user data.
It is better to clarify that it is legitimate to assert both the keyEncipherment bit
and the dataEncipherment bit in one certificate. In that case, it means that the
key (e.g., RSA key) may be used for enciphering intermediate cryptographic
keys or directly enciphering raw user data (e.g., user password).

Wen-Cheng Wang