Re: encipherOnly and decipherOnly Key Usages

[Nick Pope <pope@xxxxxxxxxxxxxxxxxxx>]

In reply to your message of 19 Sep 97, 10:30:

As someone who was involved in the inital definition of this field in 
X.509, it was the intention to be able to use the key agreement key to 
encrypt a token.  I don't believe that it was intended to place further 
restictions on how the data encrypted (in this case the token) may be 
used.

I'm not sure I totally understand your question. If you are asking can 
a (preumeably symmetric) key held in the token be used for 
purposes other than encrypting a message, where the token was 
encrypted using the other parties public key agreement key provided
though a certificate with the encipherOnly bit set, probably yes.

If you can say a bit more about what you had in mind I will be happy to 
give my views.

Nick Pope

> I have a question on usage of the encipherOnly and decipherOnly key
> usages. 
>  Assume I use the pulic key agreement key to protect a token.  The
>  token in 
> turn houses the message key that was used to encrypt the message. 
> Taking X.509 literally, setting encipherOnly means that the public key
> agreement key shall only be used to encrypt the token.
> 
> In my example, is it possible (is it correct) to interpret the
> definition of encipherOnly to mean that I may only use the public key
> of that certificate as part of the process to encrypt a message,
> eventhough I am not directly using the public key agreement key to do
> so?  (And ditto for decipherOnly.)
> 
> Dave Simonetti
> Booz-Allen & Hamilton Inc.

-------------------------------------


Security & Standards
Suite A
191 Moulsham St.
Chelmsford
Essex
CM2 0LG
U.K.

Tel: +44 1245 495018
Fax: +44 1245 494517