Fraser,
Thanks for these editorial clarifications; they seem like good things to do!
This text does not imply that that other bits, including
keyEncipherment/keyAgreement, MUST NOT be set. I would suggest
appending "and no other bits set", i.e.:
In order to request signing only S/MIME certificate, the CSR MUST
include the key usage extension with digitalSignature and/or
nonRepudiation bits set, and no other bits set.
Similarly for the subsequent paragraph (which can be solved the same
way):
In order to request encryption only S/MIME certificate, the CSR MUST
include the key usage extension with keyEncipherment and/or
keyAgreement bits set.
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
