RE: key usage - key encipherment or data encipherment

["Laudon Williams" <eldub@xxxxxxxxx>]

Simply an observation, not a disagreement.

Unfortunately, the keyEncipherment bit has grown to be used for both key
encipherment and data encipherment. I see this a lot, especially with
field-level encryption in databases, and encryption of small data files.

I guess what I'm getting at is that I never see certificates with the
dataEncipherment bit set in it in actual use, but I come across lots of
places when data is encrypted with the private key.

With that said, I like the text below.

-Laudon

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
Behalf Of Russ Housley
Sent: Thursday, May 12, 2005 12:21 PM
To: ietf-pkix@xxxxxxxx
Subject: Re: key usage - key encipherment or data encipherment


There has been a whole lot of discussion about these paragraphs.  Since 
some of the discussion has not been CCed to the PKIX mail list, I am 
posting the resulting words.

      The keyEncipherment bit is asserted when the subject public key is
      used for enciphering private or secret keys, i.e., for key transport.
      For example, this bit shall be set when a RSA public key is to be
      used for encrypting a symmetric content-decryption key or an
      asymmetric private key.

     The dataEncipherment bit is asserted when the subject public key
     is used for directly enciphering raw user data without the use of
     an intermediate symmetric cipher. Note that the use of this
     bit is extremely uncommon; almost all applications use
     key transport or key agreement to establish a symmetric key.

I hope we a re close to closure on this one....

Russ