This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
KeyUsage
KeyUsage

Version management

Difference between version and

At line 1 added 54 lines
!!! Overview
[{$pagename}] is a [Certificate Extensions] and defined in [RFC 5280] in regards to [X.509] [Certificate] defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the [certificate].
The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. For example, when an RSA key should be used only to verify signatures on objects other than public key certificates and CRLs, the [digitalSignature] and/or [nonRepudiation] [bits] would be asserted.
Likewise, when an RSA key should be used only for key management, the keyEncipherment bit would be asserted.
Conforming CAs [MUST] include this extension in [certificates] that contain public keys that are used to validate digital signatures on other public key certificates or CRLs. When present, conforming CAs [SHOULD] mark this extension as critical.
%%prettify
{{{
id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1), -- recent editions of X.509 have -- renamed this bit to contentCommitment
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
}}} /%
[Bits] in the [{$pagename}] type are used as follows:
* [digitalSignature]
* [nonRepudiation]
* [keyEncipherment]
* [dataEncipherment]
* [keyAgreement]
* [keyCertSign]
* [cRLSign]
The meaning of the [encipherOnly] bit is undefined in the absence of the [keyAgreement] bit. When the [encipherOnly] bit is asserted and the keyAgreement bit is also set, the subject public key may be used only for enciphering data while performing key agreement.
The meaning of the [decipherOnly] bit is undefined in the absence of the [keyAgreement] bit. When the [decipherOnly] bit is asserted and the [keyAgreement] bit is also set, the subject public key may be used only for deciphering data while performing key agreement.
If the [keyUsage] extension is present, then the subject public key [MUST NOT] be used to verify signatures on [certificates] or [CRLs] unless the corresponding [keyCertSign] or [cRLSign] bit is set. If the subject public key is only to be used for verifying signatures on certificates and/or CRLs, then the digitalSignature and [nonRepudiation] bits [SHOULD NOT] be set. However, the [digitalSignature] and/or [nonRepudiation] bits [MAY] be set in addition to the [keyCertSign] and/or [cRLSign] bits if the subject public key is to be used to verify [Digital Signatures] on [certificates] and/or [CRLs] as well as other objects.
Combining the [nonRepudiation] bit in the [{$pagename}] certificate extension with other keyUsage bits may have security implications depending on the context in which the certificate is to be used.
Further distinctions between the digitalSignature and nonRepudiation bits may be provided in specific certificate policies.
This profile does not restrict the combinations of bits that may be set in an instantiation of the [{$pagename}] extension. However, appropriate values for keyUsage extensions for particular [algorithms] are specified in [RFC 3279], [RFC 4055], and [RFC 4491]. When the keyUsage extension appears in a certificate, at least one of the bits [MUST] be set to 1.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop