Hi Sebastian, On Fri, Nov 20, 2020 at 07:05:08PM +0100, Sebastian Nielsen wrote: > The certificates can have different extended key usages, either digital > signature or encryption - and thus an email client will automatically pick > the right certificate. > > However, the reason the same key shouldn't be used for both signing and > encryption, is that in textbook RSA, it exist sheninigans, where a attacker > could send an snooped encrypted message, to the receiver, but blinded with a > random number. (multiplied).
While this may be *a* reason, I don't think it's the only reason. Another reason that comes up with some regularity is that isolating a given key to a single usage greatly simplifies formal analysis of the containing protocol's security properties, as cross-protocol and cross-algorithm attacks are definitionally out of scope. Thanks, Ben _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
