[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Absent keyUsage in certificates

To: ietf-pkix@xxxxxxx, sroberts@xxxxxxxxxxxx
Subject: Re: Absent keyUsage in certificates
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Fri, 03 Jun 2005 23:08:30 +1200
In-reply-to: <20050531134433.GA30174@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Sam Roberts <sroberts@xxxxxxxxxxxx> writes:

>I don't see the problem you would like to fix. Are you saying that its easier
>for a CA to mistakenly not include a KeyUsage than it is to mistakenly
>include a KeyUsage with all bits set?

While I haven't done a comprehensive survey (I don't think that's possible,
given the number of random CAs floating around out there), I've come across a
number of cases where the CA intended to issue (say) a signature-only cert,
forgot a keyUsage, and was rather surprised when told that their cert could be
used for anything at all.  Making keyUsage explicit in all cases just seems
like a nice way of tying up various loose ends.

Peter.

Follow-Ups:
- Re: Absent keyUsage in certificates
  - From: Michael Ströder

References:
- Re: Absent keyUsage in certificates
  - From: Sam Roberts

Prev by Date: Re: 3280bis: key usage (13)
Next by Date: Re: AW: 3280bis: key usage (13)
Previous by thread: Re: Absent keyUsage in certificates
Next by thread: Re: Absent keyUsage in certificates
Index(es):
- Date
- Thread