[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key usage - key encipherment or data encipherment

To: "Russ Housley" <housley@xxxxxxxxxxxx>
Subject: Re: key usage - key encipherment or data encipherment
From: "Wen-Cheng Wang" <wcwang@xxxxxxxxxx>
Date: Thu, 12 May 2005 13:10:18 +0800
Cc: <ietf-pkix@xxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Chunghwa Telecom
References: <E1DVjrY-0006hg-00@xxxxxxxxxxxxxxxxxxxxxxxxxx><> <6.2.1.2.2.20050511113838.0555a8a0@xxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Russ,

Yes, RFC 3280 is quite clear for that. However, I worried
that the discussions of this thread might mislead the
participants into believing that the two bits are mutually
exclusive. Therefore, I simply want to remind the
participants of this thread the fact that the keyEncipherment
bit and dataEncipherment bit can work well togethor.

Wen-Cheng Wang

----- Original Message -----From: "Russ Housley" <housley@xxxxxxxxxxxx>

To: "Wen-Cheng Wang" <wcwang@xxxxxxxxxx>
Cc: <ietf-pkix@xxxxxxxx>
Sent: Wednesday, May 11, 2005 11:40 PM
Subject: Re: key usage - key encipherment or data encipherment

I believe that RFC 3280 is quite clear that more than one of these bits canbe set. It says:


   This profile does not restrict the combinations of bits that may be
   set in an instantiation of the keyUsage extension.  However,
   appropriate values for keyUsage extensions for particular algorithms
   are specified in [PKIXALGS].

Russ

At 03:47 AM 5/11/2005, Wen-Cheng Wang wrote:

Peter Gutmann <pgut001@xxxxxxxxxxxxxxxxx> wrote:

Andrew Sciberras <andrewsciberras@xxxxxxxxx> writes:

    The keyEncipherment bit is asserted when the subject public key is
     used for key transport.  For example, when an RSA key is to be
     used for key management, then this bit shall asserted.

     The dataEncipherment bit is asserted when the subject public key
     is used for enciphering user data, other than cryptographic keys.

Quoting that won't help (I've seen this sort of thing before) because as far
as the user is concerned what's being encrypted is data, so the valid bit to
use is dataEncipherment (quite logical to them).  What might help is to make
this more explicit in the text:

The dataEncipherment bit is asserted when the subject public key isused for

 directly enciphering raw user data without the use of an intermediate
 symmetric cipher.  This bit MUST NOT be set when the intention is to
 encipher intermediate cryptographic keys rather than raw user data.

It is better to clarify that it is legitimate to assert both thekeyEncipherment bitand the dataEncipherment bit in one certificate. In that case, it meansthat the

key (e.g., RSA key) may be used for enciphering intermediate cryptographic
keys or directly enciphering raw user data (e.g., user password).

Wen-Cheng Wang

References:
- Re: key usage - key encipherment or data encipherment
  - From: Peter Gutmann
- Re: key usage - key encipherment or data encipherment
  - From: Wen-Cheng Wang
- Re: key usage - key encipherment or data encipherment
  - From: Russ Housley

Prev by Date: Re: key usage - key encipherment or data encipherment
Next by Date: Re: key usage - key encipherment or data encipherment
Previous by thread: RE: key usage - key encipherment or data encipherment
Next by thread: Re: key usage - key encipherment or data encipherment
Index(es):
- Date
- Thread