[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Suggestions for Key Usage Profile

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Suggestions for Key Usage Profile
From: Simonetti David <simonetti_david@xxxxxxx>
Date: Thu, 18 Dec 1997 11:34:19 -0500
Organization: BAH
References: <>
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

Folks,

Sorry to bother you all again, but based on the previous discussions on
Key Usage, I had expected more response to my proposal (below).  Can I
consider the silence to be general acceptance?

Have I not yet made the case as to why this is important?

Dave S.

Simonetti David wrote:
>
> Tim (et al),
>
> As you stated at the meeting last week with respect to the key usage
> profile, I
> agree that PKIX should not restrict the bit combinations.  However, I
> think the previous discussions on this topic proved obvious that there
> are multiple interpretations of these bits.
>
> In an attempt to clarify the meaning of several of the bits, I suggest
> the following editorial changes to PKIX-1:
>
> Section 4.2.1.3, paragraph beginning with "The digitalSignature bit is
> asserted...", add the following, "The digitalSignature bit should be set
> when the key is for use in ephemeral applications, e.g., for a single
> session authentication application such as SSL."
>
> Paragraph beginning with "The nonRepudiation bit is asserted...", add
> the following, "The nonRepudiation bit should be set when when the key
> is used to sign an object which may require the validation of the
> signature at a future time."
>
> I also suggest adding, "If the key may be used for both digitalSignature
> and nonRepudiation applications, both bits may be set."
>
> Finally, after the descriptions of encipherOnly and decipherOnly I
> suggest adding the following:
>
> "The encipherOnly and decipherOnly key usages are intended to provide
> support for key agreement schemes where separate shared secret keys are
> used in each direction of communication.  In such a scheme, a user has
> more than one set of key pairs and bits 7 (encipherOnly) and 8
> (decipherOnly) are used to distinguish between the two types.  The
> originator of a message would use the recipient's public key certificate
> with bits 4 (keyAgreement) and 7 (encipherOnly) to create a key
> encryption key.  The recipient would use the originator's certificate
> with bits 4 (keyAgreement) and 8 (decipherOnly) to create the key
> encryption key.  Typically the originator would pass his own certificate
> with bits 4 and 8 along with the message."
>
> Regards,
>
> Dave Simonetti

References:
- [IETF-PKIX] Suggestions for Key Usage Profile
  - From: Simonetti David

Prev by Date: Re: [IETF-PKIX] account-authority digitial signature .... fyi
Next by Date: Re: [IETF-PKIX] PKIX/ECDSA - Duplicate OIDs
Previous by thread: [IETF-PKIX] Suggestions for Key Usage Profile
Next by thread: Re: [IETF-PKIX] Suggestions for Key Usage Profile
Index(es):
- Date
- Thread