RE: key usage - key encipherment or data encipherment

["Miguel A Rodriguez" <mars@xxxxxxxxxxxxxx>]

Does anyone use dataEncipherment?

Miguel A Rodríguez
SeguriData
Mexico

At 03:47 AM 5/11/2005, Wen-Cheng Wang wrote:


>Peter Gutmann <pgut001@xxxxxxxxxxxxxxxxx> wrote:
>>Andrew Sciberras <andrewsciberras@xxxxxxxxx> writes:
>>
>>>     The keyEncipherment bit is asserted when the subject public key
is
>>>      used for key transport.  For example, when an RSA key is to be
>>>      used for key management, then this bit shall asserted.
>>>
>>>      The dataEncipherment bit is asserted when the subject public
key
>>>      is used for enciphering user data, other than cryptographic 
>>> keys.
>>Quoting that won't help (I've seen this sort of thing before) because 
>>as far as the user is concerned what's being encrypted is data, so the

>>valid bit to use is dataEncipherment (quite logical to them).  What 
>>might help is to make this more explicit in the text:
>>  The dataEncipherment bit is asserted when the subject public key is
>> used for
>>  directly enciphering raw user data without the use of an
intermediate
>>  symmetric cipher.  This bit MUST NOT be set when the intention is to
>>  encipher intermediate cryptographic keys rather than raw user data.
>It is better to clarify that it is legitimate to assert both the
>keyEncipherment bit
>and the dataEncipherment bit in one certificate. In that case, it means

>that the
>key (e.g., RSA key) may be used for enciphering intermediate
cryptographic
>keys or directly enciphering raw user data (e.g., user password).
>
>Wen-Cheng Wang
>
>