[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Absent keyUsage in certificates

To: ietf-pkix@xxxxxxx, sroberts@xxxxxxxxxxxx
Subject: Re: Absent keyUsage in certificates
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Fri, 10 Jun 2005 21:39:21 +1200
In-reply-to: <20050603182957.GA11282@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Sam Roberts <sroberts@xxxxxxxxxxxx> writes:

>Also, as you well know, the MUST clauses for certificate generation in PKIX
>are already widely ignored or misintepreted, and we have to deal with those
>certs anyhow. Adding more generation MUST clauses won't help us.

Yeah, fair enough.

>Adding text in PKIX that more clearly explains what the bits are for, and
>what it means for the extension to not be present might be helpful.

Hmm, I think there should then at least be a note in the security requirements
about the default allow-all behaviour of keyUsage, e.g.:

  If no keyUsage extension is specified, the certificate is assumed to be
  valid for any usage except certificate and CRL signing.  In other words if a
  CA forgets to add the keyUsage, the certificate usage fails open rather than
  failing closed.  In addition, new and unexpected usages may appear if
  additional keyUsage bits are defined after the certificate (with its allow-
  all default) is issued.

That at least warns users/CAs of the consequences of the default allow-all
behaviour.

Peter.

References:
- Re: Absent keyUsage in certificates
  - From: Sam Roberts

Prev by Date: RE: RE: CRL sequence issues
Next by Date: RE: Absent keyUsage in certificates
Previous by thread: Re: Absent keyUsage in certificates
Next by thread: RE: Absent keyUsage in certificates
Index(es):
- Date
- Thread