[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: interpretation of extended key usage

To: Klaus.Heyden@xxxxxxxxxxxxxxxxx, ietf-pkix@xxxxxxx
Subject: Re: interpretation of extended key usage
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Thu, 25 Jul 2002 16:54:26 +1200 (NZST)
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

"Heyden, Klaus" <Klaus.Heyden@xxxxxxxxxxxxxxxxx> writes:

>(1) the extended key usage is only usable for the use of the public key itself
>and his direct usage i.e. signing of certificates etc. (view RFC 2469 4.2.1.13
>first sentence). So a root certificate dont need an extended key usage, because
>the public key will only be needed for path validation and signing of
>certificates and CRLs.
>
>(2) the public key is also needed for path validation, so an extended key
>usage can be used to restrict the use of sub and end entity certificates.
>
>I have looked a bit around and found some CA certificates with extended key
>usages, so its a bit confusing. Both way's are imagineable.

Both are used (see e.g. the X.509 style guide for comments).  If you need to
use one or the other, just find the appropriate standard which specifies the
one you want.  Alternatively, if you have to comply with a certain standard,
make sure that the software you're using does actually apply the same
interpretation as the standard.

Peter.

Prev by Date: Wireless LAN Certificate Extensions
Next by Date: Re: LDAP ISSUE
Previous by thread: Re: interpretation of extended key usage
Next by thread: Re: interpretation of extended key usage
Index(es):
- Date
- Thread