[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

interpretation of extended key usage

To: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: interpretation of extended key usage
From: "Heyden, Klaus" <Klaus.Heyden@xxxxxxxxxxxxxxxxx>
Date: Wed, 24 Jul 2002 13:12:22 +0200
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Hello,

i have a question about the meaning of extended key usage extensions in a
certificate, specialy in a root certificate.

How is the understanding of extended Key Usages in Root or CA certificates.
Specialy under the circumstance of certificate path validation. Therefor i
think two opinions are possible:

(1) the extended key usage is only usable for the use of the public key
itself and his direct usage i.e. signing of certificates etc. (view RFC 2469
4.2.1.13 first sentence). So a root certificate dont need an extended key
usage, because the public key will only be needed for path validation and
signing of certificates and CRLs.

(2) the public key is also needed for path validation, so an extended key
usage can be used to restrict the use of sub and end entity certificates. 

I have looked a bit around and found some CA certificates with extended key
usages, so its a bit confusing. Both way's are imagineable.  

Best Regards 
Klaus Heyden 


Dresdner Bank AG 
D-60301 Frankfurt/Main 
Klaus.Heyden@xxxxxxxxxxxxxxxxx 
+49-(0)69-263-11126 
+49-(0)69-263-15015

Follow-Ups:
- Re: interpretation of extended key usage
  - From: Housley, Russ

Prev by Date: Re: LDAP ISSUE
Next by Date: Re: interpretation of extended key usage
Previous by thread: X.509 PMI Research
Next by thread: Re: interpretation of extended key usage
Index(es):
- Date
- Thread