The digitalSignature bit is asserted when the subject public key is used with a digital signature mechanism to support security services other than certificate signing (bit 5), or CRL signing (bit 6). Digital signature mechanisms are often used for entity authentication and data origin authentication with integrity.

    The nonRepudiation bit is asserted when the subject public key is
    used to verify digital signatures used to provide a non-
    repudiation service which protects against the signing entity
    falsely denying some action, excluding certificate or CRL signing.
    In the case of later conflict, a reliable third party may
    determine the authenticity of the signed data.

    Further distinctions between the digitalSignature and
    nonRepudiation bits may be provided in specific certificate
    policies.

    The keyEncipherment bit is asserted when the subject public key is
    used for key transport.  For example, when an RSA key is to be
    used for key management, then this bit is set.

    The dataEncipherment bit is asserted when the subject public key
    is used for enciphering user data, other than cryptographic keys.

    The keyAgreement bit is asserted when the subject public key is
    used for key agreement.  For example, when a Diffie-Hellman key is
    to be used for key management, then this bit is set.

    The keyCertSign bit is asserted when the subject public key is
    used for verifying a signature on public key certificates.  If the
    keyCertSign bit is asserted, then the cA bit in the basic
    constraints extension (section 4.2.1.10) MUST also be asserted.

    The cRLSign bit is asserted when the subject public key is used
    for verifying a signature on certificate revocation list (e.g., a
    CRL, delta CRL, or an ARL).  This bit MUST be asserted in
    certificates that are used to verify signatures on CRLs.

    The meaning of the encipherOnly bit is undefined in the absence of
    the keyAgreement bit.  When the encipherOnly bit is asserted and
    the keyAgreement bit is also set, the subject public key may be
    used only for enciphering data while performing key agreement.

    The meaning of the decipherOnly bit is undefined in the absence of
    the keyAgreement bit.  When the decipherOnly bit is asserted and
    the keyAgreement bit is also set, the subject public key may be
    used only for deciphering data while performing key agreement.