[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: German Key Usage

To: "Simonetti David" <simonetti_david@xxxxxxx>, Stefan Santesson <stefan@xxxxxxxxxxx>
Subject: Re: German Key Usage
From: Robert Moskowitz <rgm-sec@xxxxxxxxxxxxxxx>
Date: Thu, 13 Aug 1998 10:38:30 -0400
Cc: Hans Nilsson <hans.nilsson@xxxxxxxx>, ietf-pkix@xxxxxxx, "'Cert-Talk'" <cert-talk@xxxxxxxxxxxxxxxxxx>, Blake Greenlee <blake.greenlee@xxxxxxxxxxxx>
In-reply-to: <>
References: <>
Sender: owner-ietf-pkix@xxxxxxx

At 03:48 PM 8/12/98 -0400, Simonetti David wrote:
>
>MISSI and FPKI state,
>
>"The digitalSignature bit should be set when the key is for use in
>ephemeral applications, e.g., for a single session authentication
>application.

The ANX Certificate Profile copies this text, however, valid bitg
combinations do not necessarily follow.

I would like to bring your attention to a 'new' interesting protocol called
IKE from the IPsec wg.  In Main Mode, there are 2 interesting
authentication methods, RSA Sig and RSA Encrypt (RSA Enhanced Encrypt has
the same behaviour).  RSA Sig is an authentication process so
digitalSignature is the appropriate key usage.  But in RSA Encrypt, the
public key is part of the D-H nonce, it is used to encrypt the payload as
well as to sign it.  Thus digitalSignature, dataEncipherment, and
keyAgreement would be the appropriate usages.  Now to expect different
certs (and different key pairs) in the ISAKMP payload is straching things a
bit on the admin side, so I suspect that there will be a push for 'IPsec'
certs to set all 3 bits.

Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com

References:
- Re: German Key Usage
  - From: Stefan Santesson
- Re: German Key Usage
  - From: Simonetti David

Prev by Date: RE: German Key Usage
Next by Date: RE: German Key Usage
Previous by thread: Re: German Key Usage
Next by thread: RE: German Key Usage
Index(es):
- Date
- Thread