[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key usage - key encipherment or data encipherment

To: Peter Gutmann <pgut001@xxxxxxxxxxxxxxxxx>
Subject: Re: key usage - key encipherment or data encipherment
From: Andrew Sciberras <andrewsciberras@xxxxxxxxx>
Date: Wed, 11 May 2005 19:32:14 +1000
Cc: Simon_McMahon@xxxxxxxxxxxxxxxxx, ietf-pkix@xxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:organization:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=Ic6NKFgyvlIzCervQE2SRpcoVJRc+uMzRyCMzJDVnQlqTk/td/3zydNLK3X2QVDt4qKTztNfLULySrtBM4lroijVDLAZDWrw1gnB/Yc0w5s8Tqc7F1xeBJ1lErkeHKcEgELPmhi+jmLJk4yMNgJjcseLCFy/nLewuGt1amIRPeM=
In-reply-to: <E1DVjrY-0006hg-00@xxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: eB2Bcom
References: <E1DVjrY-0006hg-00@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Peter Gutmann wrote:

Andrew Sciberras <andrewsciberras@xxxxxxxxx> writes:

    The keyEncipherment bit is asserted when the subject public key is
     used for key transport.  For example, when an RSA key is to be
     used for key management, then this bit shall asserted.

     The dataEncipherment bit is asserted when the subject public key
     is used for enciphering user data, other than cryptographic keys.


Quoting that won't help (I've seen this sort of thing before) because as far
as the user is concerned what's being encrypted is data, so the valid bit to
use is dataEncipherment (quite logical to them).  What might help is to make
this more explicit in the text:

  The dataEncipherment bit is asserted when the subject public key is used for
  directly enciphering raw user data without the use of an intermediate
  symmetric cipher.  This bit MUST NOT be set when the intention is to
  encipher intermediate cryptographic keys rather than raw user data.

Yeah, I see your point Peter.
Simon seems to know what he's talking about and made the point that the key is actually encrypting an AES key, he then wanted a standards based opinion.
I think RFC 2459 clearly states what each of the key usage bits are to be used for.

I don't think that the user's interpretation of what's being encrypted is significant at all. Its more about the developers who are writing decision making code understanding the various usages. At that point the developer should be very aware of how the key associated with the certificate is being used and therefore 2459's description should suffice.

Peter.

Andrew Sciberras.

References:
- Re: key usage - key encipherment or data encipherment
  - From: Peter Gutmann

Prev by Date: Re: key usage - key encipherment or data encipherment
Next by Date: Re: key usage - key encipherment or data encipherment
Previous by thread: Re: key usage - key encipherment or data encipherment
Next by thread: Re: key usage - key encipherment or data encipherment
Index(es):
- Date
- Thread