[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key usage - key encipherment or data encipherment

To: ietf-pkix@xxxxxxxx
Subject: Re: key usage - key encipherment or data encipherment
From: Arshad Noor <arshad.noor@xxxxxxxxxxxxxx>
Date: Thu, 12 May 2005 20:38:36 -0700
In-reply-to: <6.2.1.2.2.20050512151640.04f943c0@xxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: StrongAuth, Inc.
References: <6.2.1.2.2.20050512151640.04f943c0@xxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)


I am afraid, this still does not provide sufficient clarity.

Some questions that I cannot answer, based on reading the text
below (although I know the answers from practice) are:

1) Whose private key am I encrypting with the public key?  Mine?
   Hopefully not, because if this were the only copy of my private
   key, what am I going to use to decrypt the cipher-text with?
   While this may appear as a ridiculous notion, the point is that
   the text does not clarify this question.

2) What if I'm not using the certificate for key transport?  I may
   have issued a certificate to a database that generates symmetric
   keys to encrypt database content, and then stores the encrypted
   symmetric key within the same database with the cipher-text. I'm
   not transporting the symmetric key anywhere, so should I be using
   the keyEncipherment bit or the dataEncirpherment bit?

In my opinion, the confusion arises because the two bits perform
the same function: encipherment (as Simon McMahon pointed out in
an earlier posting), but for different purposes.

There is a certain simplicity to having just one encipherment bit,
letting applications decide what they want to encrypt with the
certificate's public-key and letting them codify it in *their*
protocols - as S/MIME does - or through EKU's.

Arshad Noor
StrongAuth, Inc.


Russ Housley wrote:

There has been a whole lot of discussion about these paragraphs. Sincesome of the discussion has not been CCed to the PKIX mail list, I amposting the resulting words.


     The keyEncipherment bit is asserted when the subject public key is
     used for enciphering private or secret keys, i.e., for key transport.
     For example, this bit shall be set when a RSA public key is to be
     used for encrypting a symmetric content-decryption key or an
     asymmetric private key.

    The dataEncipherment bit is asserted when the subject public key
    is used for directly enciphering raw user data without the use of
    an intermediate symmetric cipher. Note that the use of this
    bit is extremely uncommon; almost all applications use
    key transport or key agreement to establish a symmetric key.

I hope we a re close to closure on this one....

Russ

Follow-Ups:
- Re: key usage - key encipherment or data encipherment
  - From: Wen-Cheng Wang

References:
- Re: key usage - key encipherment or data encipherment
  - From: Russ Housley

Prev by Date: RE: key usage - key encipherment or data encipherment
Next by Date: R: key usage - key encipherment or data encipherment
Previous by thread: RE: key usage - key encipherment or data encipherment
Next by thread: Re: key usage - key encipherment or data encipherment
Index(es):
- Date
- Thread