The requirement comes from the desire to tie cert/keys with functionality. Some enterprises may get their certs issued by CA's that set both keyUsage flags, yet want two certs for different purposes. MUA's will have to decide how to handle situations when the keyUsage field does not match the usage statement in the SMIMEA RR. It should be checked, but behavior when there are discrepancies will need to be specified.
Also, being able to specify signing and encrypting functions for raw keys may come in handy. It also helps in the reject case, where a domain can reject one usage for a cert. Scott On Nov 26, 2014, at 1:30 PM, Jakob Schlyter <[email protected]> wrote: > REQ-5: Please elaborate on why normal certificate keyUsage is not usable to > distinguish between certificates used for encryption/signing. > > jakob > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane =================================== Scott Rose NIST [email protected] +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ https://www.had-pilot.com/ =================================== _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
