[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key usage - key encipherment or data encipherment

To: <ejnorman@xxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: Re: key usage - key encipherment or data encipherment
From: "Simon McMahon" <Simon_McMahon@xxxxxxxxxxxxxxxxx>
Date: Fri, 20 May 2005 11:13:24 +1000
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Eric,

> The user doesn't really care or even want to know whether an intermediate symmetric key in involved or not.

I agree. The increased complexity of the rewording for 'keyEncipherment' is even more information that the user, or implementer, doesn't need to know.

Having two bits for encryption just makes room for interoperability problems like those already mentioned. Where exactly is the benefit? Earlier remarks that it should be preserved until people are "smart enough" to make good use of it dont help much.

If the use of 'dataEncipherment' is deprecated, but not reused for another purpose, we would have only 1 bit 'keyEncipherment' that could be renamed 'encipherment'. The proposed rewording discourages use of 'dataEncipherment' anyway. This would have little impact on implementations that use 'keyEncipherment' already, or implementations that set both bits because the distinction is so unclear and irrelevant.

Simon.

Simon McMahon

Work: (07) 31311420
Mobile: (043) 2294180

>>> Eric Norman <ejnorman@xxxxxxxxxxxxx> 05/20/05 07:16am >>>

On May 19, 2005, at 1:33 PM, Hallam-Baker, Phillip wrote:

> I have been following the thread, I think the cures proposed may be
> worse than the problem.
>
> I think that the sentences can be adequately clarified by stating that
> dataEncipherment is to be set if the key is to be used to directly
> encipher data, i.e. without the use of an intermediate session key.

I might as well chime in with my take, which is different yet.  And 
since
those two bits have already appeared in standards documents, probably
not worth anything.

I think that from a user's point of view, all the user cares about is 
that
the data is protected in transit and perhaps at rest.  The user doesn't
really care or even want to know whether an intermediate symmetric key
in involved or not.  From that point of view, the distinction seems 
rather silly.

Now, if someone came up with a key escrow scheme that would escrow
the symmetric key, then that might be interesting.  But that's yet 
another
thread.

Eric Norman
University of WIsconsin

***********************************************************************************
This email, including any attachments sent with it, is confidential and for the sole use of the intended recipient(s).  This confidentiality is not waived or lost, if you receive it and you are not the intended recipient(s), or if it is transmitted/received in error.

Any unauthorised use, alteration, disclosure, distribution or review of this email is prohibited.  It may be subject to a statutory duty of confidentiality if it relates to health service matters.

If you are not the intended recipient(s), or if you have received this email in error, you are asked to immediately notify the sender by telephone or by return email.  You should also delete this email and destroy any hard copies produced.
***********************************************************************************

Prev by Date: RE: Re: key usage - key encipherment or data encipherment
Next by Date: RE: Request for new work item - Defining an SRV RR otherName
Previous by thread: Re: key usage - key encipherment or data encipherment
Next by thread: Evaluating Rough Consensus for 3770bis
Index(es):
- Date
- Thread