[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Absent keyUsage in certificates

To: dcross@xxxxxxxxxxxxx, ietf-pkix@xxxxxxx, pgut001@xxxxxxxxxxxxxxxxx, sroberts@xxxxxxxxxxxx
Subject: RE: Absent keyUsage in certificates
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Sat, 04 Jun 2005 05:35:32 +1200
In-reply-to: <3C69AE30038D9A4590F5EC20DCD41F68069C6418@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

"David Cross" <dcross@xxxxxxxxxxxxx> writes:

>But many companies don't want to anticipate the purpose when they issue a 5
>year smartcard, etc.

Doesn't that work the other way as well though?  What if I issue a cert with
no keyUsage (i.e. all usage is OK) that's intended for throwaway use (signing
in to jokeoftheday.com, so I don't protect it much and may even hand it out to
friends) and six month later someone defines a new keyUsage bit
confessingToAssassinateThePresident?  You're assuming that allow-all for any
new usages will be a good thing, but it could quite well be that deny-all is a
better policy.

Peter.

Follow-Ups:
- Re: Absent keyUsage in certificates
  - From: Sam Roberts

References:
- RE: Absent keyUsage in certificates
  - From: David Cross

Prev by Date: RE: 3280bis: CRL validation
Next by Date: RE: 3280bis: CRL validation
Previous by thread: RE: Absent keyUsage in certificates
Next by thread: Re: Absent keyUsage in certificates
Index(es):
- Date
- Thread