[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proposed key usaged text -- the final round

To: ietf-pkix@xxxxxxx
Subject: Re: proposed key usaged text -- the final round
From: "Aram Perez" <aram@xxxxxxxxx>
Date: Wed, 24 Nov 1999 13:35:39 -0800

Hi Tim and Russ,

Thanks for taking the effort to clarify and settling the key usage debate.
Below are a few comments...

> To people who still care about NR:
>
> In a last ditch hope of settling the key usage debate Tim Polk and I have
> made minor adjustments to the key usage text.  We hope that this is text
> that everyone can live with (but we know that there are some people who
> will feel compelled to argue on and on and on and on and on and on ...).
>
> We believe that the PKIX Working Group Chairmen will have to determine
> whether or not we have reached rough consensus or not.
>
> Thanks,
>    Tim Polk and Russ Housley
>
[snip]
>
>        The dataEncipherment bit is asserted when the subject public key
>        is used for enciphering user data, other than cryptographic keys.

I'd would change "enciphering user data" to "enciphering data".

>
>        The keyAgreement bit is asserted when the subject public key is
>        used for key agreement.  For example, when a Diffie-Hellman key is
>        to be used for key management, then this bit shall asserted.
>
>        The keyCertSign bit is asserted when the subject public key is
>        used for verifying a signature on certificates.  This bit may only
>        be asserted in CA certificates.  If the keyCertSign bit is
>        asserted, then the cA bit in the basic constraints extension (see
>        4.2.1.10) MUST also be asserted. If the keyCertSign bit is not
>        asserted, then the cA bit in the basic constraints extension MUST
>        NOT be asserted.
>
>        The cRLSign bit is asserted when the subject public key is used
>        for verifying a signature on revocation information (e.g., a CRL).

Neither of you responded to my previous comment on this bit. If cRLSign bit
is asserted, must the cA bit in the basic constraints extension also be
asserted? And vice-versa?

>
>        The meaning of the encipherOnly bit is undefined in the absence of
>        the keyAgreement bit.  When the encipherOnly bit is asserted and
>        the keyAgreement bit is also set, the subject public key may be
>        used only for enciphering data while performing key agreement.
>
>        The meaning of the decipherOnly bit is undefined in the absence of
>        the keyAgreement bit.  When the decipherOnly bit is asserted and
>        the keyAgreement bit is also set, the subject public key may be
>        used only for deciphering data while performing key agreement.
>
>     This profile does not restrict the combinations of bits that may be
>     set in an instantiation of the keyUsage extension.  However,
>     appropriate values for keyUsage extensions for particular algorithms
>     are specified in section 7.3.

Again, neither of you responded to my previous comment on at least
recommending against certain combinations.

Regards,
Aram Perez

P.S. I'm leaving shortly on vacation and will not be back until December 6,
so I won't read any responses until then. Have a great Thanksgiving!

Follow-Ups:
- Re: proposed key usaged text -- the final round
  - From: Tim Polk

Prev by Date: proposed key usaged text -- the final round
Next by Date: Re: proposed key usaged text -- the final round
Previous by thread: Re: proposed key usaged text -- the final round
Next by thread: Re: proposed key usaged text -- the final round
Index(es):
- Date
- Thread