> > > >2 ***
> > > >
> > > > If a certificate contains a key usage extension, the KeyUsage bits
> > > > that are needed depends on the EAP method that is employed;
however,
> > > > the keyCertSign bit and the cRLSign MUST NOT be associated
with EAP
> > > > method end entity certificates.
> > > >
> > > >This means that you cannot have a certificat WITHOUT keyUsage?
> > > >Or, in case of a certificate without keyUsage, you could use it
> > > >for CrlSigning?
> > >
> > > No. The paragraph only talks about the key usage extension in
support of
> > > EAP methods. The question you are asking is beyond the scope of the
> > > paragraph and the whole document.
> > >
> >
> >oops, I made a mistake. i wanted to ask "could you use a certificate
> >that has no keyUsage for EAP methods?'
>
> Yes. In this case, the certificate is not providing any constraints on
the
> key usage.
>
> Russ
take a cert with all bit on. This is equivalent to having no keyUsage at all
as far as I remember. in this case the keyCertSign bit and the cRLSign are
set,
and the above 'MUST NOT' prohibits use of this cert. is this what you intend?
I don't think so.
Isn't the right wording: no known EAP usage requires keyCertSign or cRLSign?