[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-ietf-pkix-rfc3770bis-01: key usage extension

To: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Subject: draft-ietf-pkix-rfc3770bis-01: key usage extension
From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Thu, 14 Apr 2005 10:01:08 -0400
Cc: ietf-pkix@xxxxxxx
In-reply-to: <200504140849.j3E8nim01640@xxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <200504140849.j3E8nim01640@xxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Note: I am starting a separate thread for each of the unresolvedissues. I hope this draws more people into the discussion.


Peter:

> >2 ***
> >
> >    If a certificate contains a key usage extension, the KeyUsage bits
> >    that are needed depends on the EAP method that is employed; however,
> >    the keyCertSign bit and the cRLSign MUST NOT be associated with EAP
> >    method end entity certificates.
> >
> >This means that you cannot have a certificat WITHOUT keyUsage?
> >Or, in case of a certificate without keyUsage, you could use it
> >for CrlSigning?
>
> No.  The paragraph only talks about the key usage extension in support of
> EAP methods.  The question you are asking is beyond the scope of the
> paragraph and the whole document.
>

oops, I made a mistake. i wanted to ask "could you use a certificate
that has no keyUsage for EAP methods?'

Yes. In this case, the certificate is not providing any constraints on thekey usage.


Russ

References:
- Re: I-D ACTION:draft-ietf-pkix-rfc3770bis-01.txt
  - From: Peter Sylvester

Prev by Date: Re: I-D ACTION:draft-ietf-pkix-rfc3770bis-01.txt
Next by Date: draft-ietf-pkix-rfc3770bis-01: Section 2
Previous by thread: Re: I-D ACTION:draft-ietf-pkix-rfc3770bis-01.txt
Next by thread: draft-ietf-pkix-rfc3770bis-01: Section 2
Index(es):
- Date
- Thread