Re: draft-ietf-pkix-rfc3770bis-01: key usage extension

[Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>]

> 
> > > >2 ***
> > > >
> > > >    If a certificate contains a key usage extension, the KeyUsage bits
> > > >    that are needed depends on the EAP method that is employed; however,
> > > >    the keyCertSign bit and the cRLSign MUST NOT be associated with EAP
> > > >    method end entity certificates.
> > > >
> > > >This means that you cannot have a certificat WITHOUT keyUsage?
> > > >Or, in case of a certificate without keyUsage, you could use it
> > > >for CrlSigning?
> > >
> > > No.  The paragraph only talks about the key usage extension in support of
> > > EAP methods.  The question you are asking is beyond the scope of the
> > > paragraph and the whole document.
> > >
> >
> >oops, I made a mistake. i wanted to ask "could you use a certificate
> >that has no keyUsage for EAP methods?'
> 
> Yes.  In this case, the certificate is not providing any constraints on the 
> key usage.
> 
> Russ

take a cert with all bit on. This is equivalent to having no keyUsage at all
as far as I remember. in this case the keyCertSign bit and the cRLSign are set, 
and the above 'MUST NOT' prohibits use of this cert. is this what you intend?
I don't think so. 

Isn't the right wording: no known EAP usage requires keyCertSign or cRLSign?