Key usage extensions at X.509-Certificates

Key usage:

Key usage extension Description
Digital signature Use when the public key is used with a digital signature mechanism to support security services other than non-repudiation, certificate signing, or CRL signing. A digital signature is often used for entity authentication and data origin authentication with integrity.
Non-repudiation Use when the public key is used to verify digital signatures used to provide a non-repudiation service. Non-repudiation protects against the signing entity falsely denying some action (excluding certificate or CRL signing).
Key encipherment Use when a certificate will be used with a protocol that encrypts keys. An example is S/MIME enveloping, where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key encipherment.
Data encipherment Use when the public key is used for encrypting user data, other than cryptographic keys.
Key agreement Use when the sender and receiver of the public key need to derive the key without using encryption. This key can then can be used to encrypt messages between the sender and receiver. Key agreement is typically used with Diffie-Hellman ciphers.
Certificate signing Use when the subject public key is used to verify a signature on certificates. This extension can be used only in CA certificates.
CRL signing Use when the subject public key is to verify a signature on revocation information, such as a CRL.
Encipher only Use only when key agreement is also enabled. This enables the public key to be used only for enciphering data while performing key agreement.
Decipher only Use only when key agreement is also enabled. This enables the public key to be used only for deciphering data while performing key agreement.

Extended Key usage:

Extended key Enable for these key usage extensions
TLS Web server authentication Digital signature, key encipherment or key agreement
TLS Web client authentication Digital signature and/or key agreement
Sign (downloadable) executable code Digital signature
Email protection Digital signature, non-repudiation, and/or key encipherment or key agreement
IPSEC End System (host or router) Digital signature and/or key encipherment or key agreement
IPSEC Tunnel Digital signature and/or key encipherment or key agreement
IPSEC User Digital signature and/or key encipherment or key agreement
Timestamping Digital signature, non-repudiation.

Example of required key usage extensions

Application Required key usage extensions
SSL Client Digital signature
SSL Server Key encipherment
S/MIME Signing Digital signature
S/MIME Encryption Key encipherment
Certificate Signing Certificate signing
Object Signing Digital signature

Source:
IBM Knowledgecenter

Über den Autor

Tom
-- PKI- und Verschlüsselungsexperte -- WLAN- und LAN-Spezialist -- IT- und Film-Nerd --

   

Einen Kommentar hinterlassen

Deine E-Mail-Adresse wird nicht veröffentlicht.


*