Re: interpretation of extended key usage

["Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>]

I think that RFC 3280 is pretty clear.  It says:

   If a certificate contains both a key usage extension and an extended
   key usage extension, then both extensions MUST be processed
   independently and the certificate MUST only be used for a purpose
   consistent with both extensions.  If there is no purpose consistent
   with both extensions, then the certificate MUST NOT be used for any
   purpose.

I would not expect a root certificate to contain an extended key usage 
extension.

Russ


At 01:12 PM 7/24/2002 +0200, Heyden, Klaus wrote:

> Hello,
>
> i have a question about the meaning of extended key usage extensions in a
> certificate, specialy in a root certificate.
>
> How is the understanding of extended Key Usages in Root or CA certificates.
> Specialy under the circumstance of certificate path validation. Therefor i
> think two opinions are possible:
>
> (1) the extended key usage is only usable for the use of the public key
> itself and his direct usage i.e. signing of certificates etc. (view RFC 2469
> 4.2.1.13 first sentence). So a root certificate dont need an extended key
> usage, because the public key will only be needed for path validation and
> signing of certificates and CRLs.
>
> (2) the public key is also needed for path validation, so an extended key
> usage can be used to restrict the use of sub and end entity certificates.
>
> I have looked a bit around and found some CA certificates with extended key
> usages, so its a bit confusing. Both way's are imagineable.
>
> Best Regards
> Klaus Heyden
>
>
> Dresdner Bank AG
> D-60301 Frankfurt/Main
> Klaus.Heyden@xxxxxxxxxxxxxxxxx
> +49-(0)69-263-11126
> +49-(0)69-263-15015