Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).
Trace: » certificates

This is an old revision of the document!

This page is more or less a resume of RFC3280.

Certificates

Key Usage

Digital Signature

    The digitalSignature bit is asserted when the subject public key
    is used with a digital signature mechanism to support security
    services other than certificate signing (bit 5), or CRL signing
    (bit 6).  Digital signature mechanisms are often used for entity
    authentication and data origin authentication with integrity.

Non Repudiation

    The nonRepudiation bit is asserted when the subject public key is
    used to verify digital signatures used to provide a non-
    repudiation service which protects against the signing entity
    falsely denying some action, excluding certificate or CRL signing.
    In the case of later conflict, a reliable third party may
    determine the authenticity of the signed data.

Note about nonRepudiation and digitalSignature

    Further distinctions between the digitalSignature and
    nonRepudiation bits may be provided in specific certificate
    policies.

Key Encipherment

    The keyEncipherment bit is asserted when the subject public key is
    used for key transport.  For example, when an RSA key is to be
    used for key management, then this bit is set.

data Encipherment

    The dataEncipherment bit is asserted when the subject public key
    is used for enciphering user data, other than cryptographic keys.

Key Agreement

    The keyAgreement bit is asserted when the subject public key is
    used for key agreement.  For example, when a Diffie-Hellman key is
    to be used for key management, then this bit is set.

Key Cert Sign

    The keyCertSign bit is asserted when the subject public key is
    used for verifying a signature on public key certificates.  If the
    keyCertSign bit is asserted, then the cA bit in the basic
    constraints extension (section 4.2.1.10) MUST also be asserted.

CRL Sign

    The cRLSign bit is asserted when the subject public key is used
    for verifying a signature on certificate revocation list (e.g., a
    CRL, delta CRL, or an ARL).  This bit MUST be asserted in
    certificates that are used to verify signatures on CRLs.

encipher Only

    The meaning of the encipherOnly bit is undefined in the absence of
    the keyAgreement bit.  When the encipherOnly bit is asserted and
    the keyAgreement bit is also set, the subject public key may be
    used only for enciphering data while performing key agreement.

decipher Only

    The meaning of the decipherOnly bit is undefined in the absence of
    the keyAgreement bit.  When the decipherOnly bit is asserted and
    the keyAgreement bit is also set, the subject public key may be
    used only for deciphering data while performing key agreement.