Re: KeyUsage (keyEncipherment versus dataEncipherment)

[Stephen Kent <kent@xxxxxxx>]

Petra,

>Which bits need to be asserted in a certificate which I want to use
>e.g. for encrypting emails ?
>Using the hybrid method (data is encrypted symmetrically and the
>symmetric key is encrypted asymmetrically) a certified asymmetric key
>will be used for keyEncipherment, but I assume dataEncipherment is the
>bit to be asserted, because I'm using the certified key for
>confidentiality and protection of the data. Or should maybe both bits
>be asserted in an encryption certificate ?

I'd suggest that the keyEnciphermet flag is appropriate, since the key in
the cert is used to encipher the message key.  The fact that the message
key is used for data encipherment is not relevant, as that is another level
removed.

Steve