[Smcwg-public] Cert Consumer guidance on keyUsage

[Stephen Davidson]

Hi all:

We've had some useful discussion in the group lately about areas where the S/MIME BR may deviate from existing guidance from root programs or Cert Consumer software.

For example the gmail profile currently stipulates for keyUsage:

Bit positions must be set for either: digitalSignature and/or nonRepudiation/ contentCommitment

Bit positions may be set for: dataEncipherment and/or keyEncipherment

Other bit positions must not be set.

Under this profile, the use of split (separate signing and key management) keys would not be allowed.  Split keys are a common S/MIME deployment.

We'd like to verify the reach of the Cert Consumer profiles where the draft S/MIME BR deviates from existing texts.  We've gone through detailed work to incorporate the existing guidance but, for example, the draft S/MIME BR will allow the use of split keys:

For signing only, bit positions MUST be set for: digitalSignature
Bit positions MAY be set for:nonRepudiation/ contentCommitment

For key management only, bit positions MUST be set for: keyEncipherment
Bit positions MAY be set for: dataEncipherment

For dual use, bit positions MUST be set for: keyEncipherment and digitalSignature
Bit positions MAY be set for: nonRepudiation/contentCommitment and/or dataEncipherment

Other bit positions MUST NOT be set.

Do we have agreement from the Cert Consumers on this approach?

Best regards, Stephen



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20211029/b3fef479/attachment.html>