[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: interpretation of extended key usage

To: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>
Subject: Re: interpretation of extended key usage
From: "Tom Gindin" <tgindin@xxxxxxxxxx>
Date: Wed, 24 Jul 2002 15:16:15 -0400
Cc: "Heyden, Klaus" <Klaus.Heyden@xxxxxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Importance: Normal
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Sensitivity:


      Russ:

      Would it be reasonable for a CA certificate to contain extended key
usage values for CMP usage (or perhaps OCSP)?  It would be better practice
for the CA to issue a certificate to its own DN with such values but no
certificate signing ability, of course.  It is clear that the extended key
usage extension in a CA certificate is not an analogue to name or policy
constraints.

            Tom Gindin


"Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>@mail.imc.org on 07/24/2002
10:10:53 AM

Sent by:    owner-ietf-pkix@xxxxxxxxxxxx


To:    "Heyden, Klaus" <Klaus.Heyden@xxxxxxxxxxxxxxxxx>
cc:    ietf-pkix@xxxxxxx
Subject:    Re: interpretation of  extended key usage



I think that RFC 3280 is pretty clear.  It says:

    If a certificate contains both a key usage extension and an extended
    key usage extension, then both extensions MUST be processed
    independently and the certificate MUST only be used for a purpose
    consistent with both extensions.  If there is no purpose consistent
    with both extensions, then the certificate MUST NOT be used for any
    purpose.

I would not expect a root certificate to contain an extended key usage
extension.

Russ


At 01:12 PM 7/24/2002 +0200, Heyden, Klaus wrote:

>Hello,
>
>i have a question about the meaning of extended key usage extensions in a
>certificate, specialy in a root certificate.
>
>How is the understanding of extended Key Usages in Root or CA
certificates.
>Specialy under the circumstance of certificate path validation. Therefor i
>think two opinions are possible:
>
>(1) the extended key usage is only usable for the use of the public key
>itself and his direct usage i.e. signing of certificates etc. (view RFC
2469
>4.2.1.13 first sentence). So a root certificate dont need an extended key
>usage, because the public key will only be needed for path validation and
>signing of certificates and CRLs.
>
>(2) the public key is also needed for path validation, so an extended key
>usage can be used to restrict the use of sub and end entity certificates.
>
>I have looked a bit around and found some CA certificates with extended
key
>usages, so its a bit confusing. Both way's are imagineable.
>
>Best Regards
>Klaus Heyden
>
>
>Dresdner Bank AG
>D-60301 Frankfurt/Main
>Klaus.Heyden@xxxxxxxxxxxxxxxxx
>+49-(0)69-263-11126
>+49-(0)69-263-15015

Follow-Ups:
- Re: interpretation of extended key usage
  - From: Housley, Russ

Prev by Date: Re: interpretation of extended key usage
Next by Date: Re: interpretation of extended key usage
Previous by thread: interpretation of extended key usage
Next by thread: Re: interpretation of extended key usage
Index(es):
- Date
- Thread