RE: [Moderator Action] Missing items in KeyUsage

#2 doesn't seem like it would work. SignOnce can easily turn into SignTwice if the first enrollment attempt fails, or if renewal is needed. The unfortunate reality is that where certificate enrollment is concerned, current applications assume that encryption keys can sign enrollment requests.

-----Original Message-----
From: Wendy Seltzer [mailto:wseltzer@w3.org] 
Sent: Monday, April 1, 2013 2:42 PM
To: public-webcrypto@w3.org
Subject: Fwd: [Moderator Action] Missing items in KeyUsage




-------- Original Message --------
Subject: [Moderator Action] Missing items in KeyUsage
Date: Sat, 30 Mar 2013 15:18:17 +0000
From: Jim Schaad <ietf@augustcellars.com>
To: <public-webcrypto@w3.org>

This may have already been covered in the past, I have not read all of the history yet, but there are a couple of things that I noticed about the KeyUsage enumeration that I found off.

1.  There may be a desire to separate the idea of encrypt/decrypt between data and keys.  This leads to better separation of usage for key wrap items

2.  There may be a need to have a signOnce key usage as well.  If one is looking at creating an encrypt/decrypt only public key, one may still want to tag it as being able to do a single signature operation for the purposes of obtaining a certificate by signing a PKCS#10, CMC or CMP message.

3.  The current set of key usages does not have a key agreement usage.  What is the current view of how Diffie-Hellman keys are marked?  They are not actually encrypt/decrypt keys.

Jim

Received on Tuesday, 2 April 2013 08:53:55 UTC