[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: interpretation of extended key usage

To: Tom Gindin <tgindin@xxxxxxxxxx>
Subject: Re: interpretation of extended key usage
From: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>
Date: Wed, 24 Jul 2002 16:25:49 -0400
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Tom:

I am unaware of any extended key usage OIDs for CMP.

It is quite reasonable for a CA certificate to indicate that the key can be used to validate OCSP or SCVP responses (if the CA handles these with the same signing key).

I tend to think of a root CA as being primarily off-line. This architecture provides for physical protection of the root CA's signing key. I guess this bias spilled into my response.

Russ

At 03:16 PM 7/24/2002 -0400, Tom Gindin wrote:

Russ:

      Would it be reasonable for a CA certificate to contain extended key
usage values for CMP usage (or perhaps OCSP)?  It would be better practice
for the CA to issue a certificate to its own DN with such values but no
certificate signing ability, of course.  It is clear that the extended key
usage extension in a CA certificate is not an analogue to name or policy
constraints.

Tom Gindin


"Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>@mail.imc.org on 07/24/2002
10:10:53 AM

Sent by: owner-ietf-pkix@xxxxxxxxxxxx


To:    "Heyden, Klaus" <Klaus.Heyden@xxxxxxxxxxxxxxxxx>
cc:    ietf-pkix@xxxxxxx
Subject:    Re: interpretation of  extended key usage

I think that RFC 3280 is pretty clear. It says:

    If a certificate contains both a key usage extension and an extended
    key usage extension, then both extensions MUST be processed
    independently and the certificate MUST only be used for a purpose
    consistent with both extensions.  If there is no purpose consistent
    with both extensions, then the certificate MUST NOT be used for any
    purpose.

I would not expect a root certificate to contain an extended key usage
extension.

Russ

At 01:12 PM 7/24/2002 +0200, Heyden, Klaus wrote:

>Hello,
>
>i have a question about the meaning of extended key usage extensions in a
>certificate, specialy in a root certificate.
>
>How is the understanding of extended Key Usages in Root or CA
certificates.
>Specialy under the circumstance of certificate path validation. Therefor i
>think two opinions are possible:
>
>(1) the extended key usage is only usable for the use of the public key
>itself and his direct usage i.e. signing of certificates etc. (view RFC
2469
>4.2.1.13 first sentence). So a root certificate dont need an extended key
>usage, because the public key will only be needed for path validation and
>signing of certificates and CRLs.
>
>(2) the public key is also needed for path validation, so an extended key
>usage can be used to restrict the use of sub and end entity certificates.
>
>I have looked a bit around and found some CA certificates with extended
key
>usages, so its a bit confusing. Both way's are imagineable.
>
>Best Regards
>Klaus Heyden
>
>
>Dresdner Bank AG
>D-60301 Frankfurt/Main
>Klaus.Heyden@xxxxxxxxxxxxxxxxx
>+49-(0)69-263-11126
>+49-(0)69-263-15015

References:
- Re: interpretation of extended key usage
  - From: Tom Gindin

Prev by Date: Re: interpretation of extended key usage
Next by Date: draft-ietf-pkix-warranty-ext-01
Previous by thread: Re: interpretation of extended key usage
Next by thread: Re: interpretation of extended key usage
Index(es):
- Date
- Thread