keyCertSign and cRLSign Key Usage Bits

["Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>]

The consensus on these bits is not totally clear to me.  Yet, several 
points have been consistently, and I think that the following text 
incorporates them.  The debate regarding he linkage between these bits and 
the cA bit in the basic constraints extension does not seem to be over, and 
I have not made any changes in that area.  Please use this new thread to 
discuss any remaining unresolved points.

      The keyCertSign bit is asserted when the subject public key is
      used for verifying a signature on public key certificates.  This
      bit MUST only be asserted in CA certificates.  If the keyCertSign
      bit is asserted, then the cA bit in the basic constraints
      extension (see 4.2.1.10) MUST also be asserted.  If neither the
      cRLSign bit nor the keyCertSign bit are asserted, then the cA bit
      in the basic constraints extension MUST NOT be asserted.

      The cRLSign bit is asserted when the subject public key is used
      for verifying a signature on a certificate revocation list (e.g.,
      a CRL or an ARL).  This bit MUST be asserted in CA and Attribute
      Authority (AA) certificates that are used to verify signatures on
      CRLs.  If the cRLSign bit is asserted in a CA certificate, then
      the cA bit in the basic constraints extension (see 4.2.1.10) MUST
      also be asserted.  If the cRLSign bit is asserted in a AA
      certificate, then the cA bit in the basic constraints extension
      MUST NOT be asserted.  Such AA certificates MUST NOT be used to
      verify signatures on CRLs containing revocation information for
      public key certificates; however, these AA certificates MAY be
      used to verify signatures on CRLs containing revocation
      information concerning attribute certificates.  If neither the
      cRLSign bit nor the keyCertSign bit are asserted, then the cA bit
      in the basic constraints extension MUST NOT be asserted.

Russ