Does self-signed encryption certificate violate "no multi-use keys" principle?
Say that I have generated an RSA keypair, which I intend to publish only for use with RSA-KEM; I can see that this is provisioned for:
The intended application for the key MAY be indicated in the key usage certificate extension (see RFC 5280, Section 4.2.1.3). If the
keyUsageextension is present in a certificate that conveys an RSA public key with the id-rsa-kem object identifier as discussed above, then the key usage extension MUST contain the following value:keyEncipherment
dataEnciphermentSHOULD NOT be present. That is, a key intended to be employed only with the RSA-KEM Key Transport Algorithm SHOULD NOT also be employed for data encryption or for authentication such as in signatures.
and that this provision exists for a good reason (emphasis added):
Generally, good cryptographic practice employs a given RSA key pair in only one scheme. This practice avoids the risk that vulnerability in one scheme may compromise the security of the other, and may be essential to maintain provable security. While RSA public keys have often been employed for multiple purposes such as key transport and digital signature without any known bad interactions, for increased security assurance, such combined use of an RSA key pair is NOT RECOMMENDED in the future (unless the different schemes are specifically designed to be used together).
Accordingly, an RSA key pair used for the RSA-KEM Key Transport Algorithm SHOULD NOT also be used for digital signatures. (Indeed, the Accredited Standards Committee X9 (ASC X9) requires such a separation between key establishment key pairs and digital signature key pairs.) Continuing this principle of key separation, a key pair used for the RSA-KEM Key Transport Algorithm SHOULD NOT be used with other key establishment schemes, or for data encryption, or with more than one set of underlying algorithm components.
My question, then, is: is there a "proper" way to self-sign one of these certificates?
Would it be usual or appropriate to certify the KEM keypair using your signature keypair, which can safely terminate the trust chain by signing itself?
Or are X.509, CMS, PKCS#12, and RSA-KEM just so obscure outside of enterprise (non-self-signed) PKI contexts that the best-practice here has never been established?
