[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-pkix-rfc3770bis-01: key usage extension

To: Peter.Sylvester@xxxxxxxxxx, housley@xxxxxxxxxxxx
Subject: Re: draft-ietf-pkix-rfc3770bis-01: key usage extension
From: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Date: Fri, 15 Apr 2005 10:10:45 +0200 (MEST)
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

> >
> >take a cert with all bit on. This is equivalent to having no keyUsage at all
> >as far as I remember. in this case the keyCertSign bit and the cRLSign are 
> >set,
> >and the above 'MUST NOT' prohibits use of this cert. is this what you intend?
> >I don't think so.
> >
> >Isn't the right wording: no known EAP usage requires keyCertSign or cRLSign?
> 
> How about: ... however, EAP methods MUST NOT require the keyCertSign bit or
> the cRLSign to be set in end entity certificates.


- the initial text had no keyUsage restriction.

- the current has a restriction that technically doesn't make any
  sense and is incompatible with the standard.

- Above you propose something that is a restriction for EAP methods
  which was not in 3770. Can you justify this change, please.


Peter
PS: Would it be possible to instruct your mail user agent not to send
me two copies just because I am twice in the To list, or else. Thanks

Follow-Ups:
- Re: draft-ietf-pkix-rfc3770bis-01: key usage extension
  - From: Russ Housley

Prev by Date: Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
Next by Date: Re: draft-ietf-pkix-rfc3770bis-01: OID Import
Previous by thread: Re: draft-ietf-pkix-rfc3770bis-01: key usage extension
Next by thread: Re: draft-ietf-pkix-rfc3770bis-01: key usage extension
Index(es):
- Date
- Thread