RE: Absent keyUsage in certificates

["David Cross" <dcross@xxxxxxxxxxxxx>]

Sorry for delayed reply, I am travelling.  Yes, you are correct, they
don't want to use EE certs for CRL or cetr signing which also require
basic constraints to be set.  But many companies don't want to
anticipate the purpose when they issue a 5 year smartcard, etc. 


David B. Cross 

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of Peter Gutmann
Sent: Tuesday, May 31, 2005 1:57 AM
To: David Cross; ietf-pkix@xxxxxxx; sroberts@xxxxxxxxxxxx
Subject: RE: Absent keyUsage in certificates


"David Cross" <dcross@xxxxxxxxxxxxx> writes:

>I agree for CA certificates, the Key Usage extension MUST be asserted.
>However, in client (end entity) certificates, this is extremely 
>disadvantageous as it makes deployments and future application 
>consumption difficult.

In what way?  Why can't you just set all the flags that make sense (e.g.
all encryption and signing flags for an RSA key)?  At the moment the few
certs I've seen with keyUsage absent seem to be more an indication of CA
error than an intent to allow them to be used for any purpose (e.g. ones
that have no
X.509 keyUsage but do have a Netscape keyUsage that doesn't match an
all- purpose usage, or ones where the CA, when questioned, admitted that
that wasn't at all what they'd intended).  Making keyUsage mandatory
everywhere would make the CA's intent explicit.

>In fact, many many companies and oragnizations have demanded the 
>acceptance and usage by applications EE certs with this extension 
>absent to indicate all purposes.

All purposes except cert/CRL signing, you mean.  Or do they really want
to use them for all purposes, including cert/CRL signing/verification?

Peter.