[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Absent keyUsage in certificates
"David Cross" <dcross@xxxxxxxxxxxxx> writes:
>I agree for CA certificates, the Key Usage extension MUST be asserted.
>However, in client (end entity) certificates, this is extremely
>disadvantageous as it makes deployments and future application consumption
>difficult.
In what way? Why can't you just set all the flags that make sense (e.g. all
encryption and signing flags for an RSA key)? At the moment the few certs
I've seen with keyUsage absent seem to be more an indication of CA error than
an intent to allow them to be used for any purpose (e.g. ones that have no
X.509 keyUsage but do have a Netscape keyUsage that doesn't match an all-
purpose usage, or ones where the CA, when questioned, admitted that that
wasn't at all what they'd intended). Making keyUsage mandatory everywhere
would make the CA's intent explicit.
>In fact, many many companies and oragnizations have demanded the acceptance
>and usage by applications EE certs with this extension absent to indicate all
>purposes.
All purposes except cert/CRL signing, you mean. Or do they really want to
use them for all purposes, including cert/CRL signing/verification?
Peter.