[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Extended Key Usage and path validation

To: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: Extended Key Usage and path validation
From: "Roberto Lopez Navarro" <rolopez@xxxxxx>
Date: Fri, 10 Nov 2000 10:47:38 +0100
Importance: Normal
In-reply-to: <>


From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil]


>I agree with Patrick Patterson and Michael Ströder that using the
>Certificate Policies extension to control usage of the EE key
>"messes with" the CP extension.

I am agree with you. I do not think it is the proper extension. Certificate
Policies extension has a role on path validation and trust management, but
given that there is no standarization of Certificate Policies, it will be
hard if not impssible to use it for key usage management.


>The policy under which certificates
>are issued seems tenuously related, if not completely unrelated,
>to the applications which make use of the certificates.

I always thought that the certificate policy under which a certificate is
issued is closely related with the applications that make use of them.

	Certificate policy - A named set of rules that indicates the
      applicability of a certificate to a particular community and/or
      class of application with common security requirements.  For
      example, a particular certificate policy might indicate
      applicability of a type of certificate to the authentication of
      electronic data interchange transactions for the trading of goods
      within a given price range.

What's the important word of this definition? Applicability as for
nonrepudiation, digitalsignature, etc? Or class of application, like TLS
authetication, S/MIME confidentiality, etc? I think both of them.

I really think that EKU is an important extension, because you can profile
different policies for applications. For example, a TLS certificate and
S/MIME certificate could have the same KU extensions but a different EKU
ones. Or the other way round, you could have to S/MIME certificates, one for
signing (KU digitalSignature) and one for confidentiality (KU
keyEncipherment). The EKU will reflect the statements made in the CP, for
the heck of automatization. Maybe, it will be useful to define EKU
appropiate for CA certificates (as Netscape did with Netscape Cert Type
extension).

But,as always, I am not quite sure about it.

Best regards


Roberto


===========================================
Roberto Lopez Navarro
[mailto:rolopez@sgi.es]
tfno: +34 91 806 46 40
fax:  +34 91 806 46 41

SGI Soluciones Globales Internet
[http://www.sgi.es]
GMV Sistemas S.A.
============================================

References:
- Re: Extended Key Usage and path validation
  - From: David P. Kemp

Prev by Date: XML in PKIX. Was: OCSP-X vs SCVP
Next by Date: Re: Extended Key Usage and CP extensions (path validation)
Previous by thread: The CP Extension (was Re: Extended Key Usage and path validation)
Next by thread: Re: Extended Key Usage and CP extensions (path validation)
Index(es):
- Date
- Thread