Question about 3280bis keyUsage and extKeyUsage consistency

["Eric Grenier \(egrenier\)" <egrenier@xxxxxxxxx>]

The draft states:

   4.2.1.12  Extended Key Usage
 
      This extension indicates one or more purposes for which the
certified
      public key may be used, in addition to or in place of the basic
      purposes indicated in the key usage extension.

Yet further down it states

      ...the certificate MUST only be used for a purpose
      consistent with both extensions.

So my question relates to the "or in place of" wording.  Does it state
"or in place of" only to address situations where there is no keyUsage
present or is it when the existing keyUsage is inadequate for an
intended use?

The follow-up question...  In a situation where an IPSec VPN client
application uses end entity certificates for user authentication
purposes to a head-end device.  Which combinations of keyUsage and
extKeyUsage would be most correct?  My interpretation of the draft
suggests a keyUsage of digitalSignature and nonRepudiation as minimum
requirements along with an optional extKeyUsage of clientAuth.

An issue has arisen where a cert does not have the nonRepudiation bit
asserted but it does have digitalSignature and clientAuth.  Given that
the nature of IPSec VPNs provides a non-repudiation service is requiring
the nonRepudiation bit to be set reasonable even if the cert has an
extKeyUsage of clientAuth?

Appreciate any insight,

Eric.