Re: draft-ietf-pkix-rfc3770bis-01: key usage extension

[Russ Housley <housley@xxxxxxxxxxxx>]

Peter:

You are the one that complained that there was not discussion of the key 
usage extension.  I am happy to delete the whole paragraph ... you are the 
one who asked for the topic to be covered.

How about this:

   If a certificate contains a key usage extension, the KeyUsage bits
   that are needed depends on the EAP method that is employed.

Russ

At 04:10 AM 4/15/2005, Peter Sylvester wrote:

> > >
> > >take a cert with all bit on. This is equivalent to having no keyUsage 
> at all
> > >as far as I remember. in this case the keyCertSign bit and the cRLSign 
> are
> > >set,
> > >and the above 'MUST NOT' prohibits use of this cert. is this what you 
> intend?
> > >I don't think so.
> > >
> > >Isn't the right wording: no known EAP usage requires keyCertSign or 
> cRLSign?
> >
> > How about: ... however, EAP methods MUST NOT require the keyCertSign bit or
> > the cRLSign to be set in end entity certificates.
>
>
> - the initial text had no keyUsage restriction.
>
> - the current has a restriction that technically doesn't make any
>   sense and is incompatible with the standard.
>
> - Above you propose something that is a restriction for EAP methods
>   which was not in 3770. Can you justify this change, please.
>
>
> Peter
> PS: Would it be possible to instruct your mail user agent not to send
> me two copies just because I am twice in the To list, or else. Thanks