Discuss this help topic in SecureBlackbox Forum
TElKeyUsageExtension is a descendant of TElCustomExtension class.
Description
This extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
The following paragraph is taken from RFC 2459 (Housley, et. al.), part 4.2.1.3:
«The digitalSignature bit is asserted when the subject public key
is used with a digital signature mechanism to support security
services other than non-repudiation (bit 1), certificate signing
(bit 5), or revocation information signing (bit 6). Digital
signature mechanisms are often used for entity authentication and
data origin authentication with integrity.
The nonRepudiation bit is asserted when the subject public key is
used to verify digital signatures used to provide a non-
repudiation service which protects against the signing entity
falsely denying some action, excluding certificate or CRL signing.
The keyEncipherment bit is asserted when the subject public key is
used for key transport. For example, when an RSA key is to be
used for key management, then this bit shall asserted.
The dataEncipherment bit is asserted when the subject public key
is used for enciphering user data, other than cryptographic keys.
The keyAgreement bit is asserted when the subject public key is
used for key agreement. For example, when a Diffie-Hellman key is
to be used for key management, then this bit shall asserted.
The keyCertSign bit is asserted when the subject public key is
used for verifying a signature on certificates. This bit may only
be asserted in CA certificates.
The cRLSign bit is asserted when the subject public key is used
for verifying a signature on revocation information (e.g., a CRL).
The meaning of the encipherOnly bit is undefined in the absence of
the keyAgreement bit. When the encipherOnly bit is asserted and
the keyAgreement bit is also set, the subject public key may be
used only for enciphering data while performing key agreement.
The meaning of the decipherOnly bit is undefined in the absence of
the keyAgreement bit. When the decipherOnly bit is asserted and
the keyAgreement bit is also set, the subject public key may be
used only for deciphering data while performing key agreement.
This profile does not restrict the combinations of bits that may be
set in an instantiation of the keyUsage extension. However,
appropriate values for keyUsage extensions for particular algorithms
are specified in section 7.3.»