[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PKIX WG Last Call: 3770bis
>
> The previous text was intended to help the reader, avoiding the need to
> reread RFC 3280 to get the concepts. I think this text meets this same goal.
Getting the concept may be in a non-normative section.
and, as the current text shows, it can get wrong.
I don't think that this text should be a tutorial for 3280.
> >
> > >
> > > If the extended key usage extension is present, then the certificate
> > > MUST only be used for one of the purposes indicated. If multiple
> > !
> > !BY WHOM?
> >This sentence is nothing special for this text.
>
> By any certificate user. I'll edit the sentence.
What is a certificate user? You mean the private key owner?
>
> > > purposes are indicated the application need not recognize all
> > > purposes indicated, as long as the intended purpose is present.
> >This sentence sounds ok.
I add: this is nothing special with this text.
> >
> > > Certificate using applications MAY require that a particular purpose
> > > (such as id-kp-eapOverPPP or id-kp-eapOverLAN) be indicated in
> > > order for the certificate to be acceptable to that application.
> >This one is a good one.
The application is a certificate user? There are two ends?
>
> That would be listing all of the other bits. For example, EAP-TLS has the
> same rules as TLS, which depends on the cipher suite that is
> negotiated. Other EAP methods could be defined in the future that make use
> of the other ones.
But what is written is that it is not possible to have no keyUsage,
since this would imply *ALL* usages, thus also keyCertSign.
If a certificate contains a key usage extension, the KeyUsage bits
that are needed depend on the EAP method that is employed.
Peter