Does anyone use dataEncipherment?
Miguel A Rodríguez
SeguriData
Mexico
At 03:47 AM 5/11/2005, Wen-Cheng Wang wrote:
>Peter Gutmann <pgut001@xxxxxxxxxxxxxxxxx> wrote:
>>Andrew Sciberras <andrewsciberras@xxxxxxxxx> writes:
>>
>>> The keyEncipherment bit is asserted when the subject public key
is
>>> used for key transport. For example, when an RSA key is to be
>>> used for key management, then this bit shall asserted.
>>>
>>> The dataEncipherment bit is asserted when the subject public
key
>>> is used for enciphering user data, other than cryptographic
>>> keys.
>>Quoting that won't help (I've seen this sort of thing before) because
>>as far as the user is concerned what's being encrypted is data, so the
>>valid bit to use is dataEncipherment (quite logical to them). What
>>might help is to make this more explicit in the text:
>> The dataEncipherment bit is asserted when the subject public key is
>> used for
>> directly enciphering raw user data without the use of an
intermediate
>> symmetric cipher. This bit MUST NOT be set when the intention is to
>> encipher intermediate cryptographic keys rather than raw user data.
>It is better to clarify that it is legitimate to assert both the
>keyEncipherment bit
>and the dataEncipherment bit in one certificate. In that case, it means
>that the
>key (e.g., RSA key) may be used for enciphering intermediate
cryptographic
>keys or directly enciphering raw user data (e.g., user password).
>
>Wen-Cheng Wang
>
>