[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: interpretation of extended key usage
You're right, there is no key purpose for CMP. My question is
whether this is a good thing or not, especially if an intermediate CA wants
to publish a certificate for CMP use. How does a remote client recognize
such a certificate? Remember, this issue applies to all CA's, not just
root ones.
Tom Gindin
"Housley, Russ" <rhousley@xxxxxxxxxxxxxxx> on 07/24/2002 04:25:49 PM
To: Tom Gindin/Watson/IBM@xxxxx
cc: ietf-pkix@xxxxxxx
Subject: Re: interpretation of extended key usage
Tom:
I am unaware of any extended key usage OIDs for CMP.
It is quite reasonable for a CA certificate to indicate that the key can be
used to validate OCSP or SCVP responses (if the CA handles these with the
same signing key).
I tend to think of a root CA as being primarily off-line. This
architecture provides for physical protection of the root CA's signing
key. I guess this bias spilled into my response.
Russ
At 03:16 PM 7/24/2002 -0400, Tom Gindin wrote:
> Russ:
>
> Would it be reasonable for a CA certificate to contain extended key
>usage values for CMP usage (or perhaps OCSP)? It would be better practice
>for the CA to issue a certificate to its own DN with such values but no
>certificate signing ability, of course. It is clear that the extended key
>usage extension in a CA certificate is not an analogue to name or policy
>constraints.
>
> Tom Gindin
>
>
>"Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>@mail.imc.org on 07/24/2002
>10:10:53 AM
>
>Sent by: owner-ietf-pkix@xxxxxxxxxxxx
>
>
>To: "Heyden, Klaus" <Klaus.Heyden@xxxxxxxxxxxxxxxxx>
>cc: ietf-pkix@xxxxxxx
>Subject: Re: interpretation of extended key usage
>
>
>
>I think that RFC 3280 is pretty clear. It says:
>
> If a certificate contains both a key usage extension and an extended
> key usage extension, then both extensions MUST be processed
> independently and the certificate MUST only be used for a purpose
> consistent with both extensions. If there is no purpose consistent
> with both extensions, then the certificate MUST NOT be used for any
> purpose.
>
>I would not expect a root certificate to contain an extended key usage
>extension.
>
>Russ
>
>
>At 01:12 PM 7/24/2002 +0200, Heyden, Klaus wrote:
>
> >Hello,
> >
> >i have a question about the meaning of extended key usage extensions in
a
> >certificate, specialy in a root certificate.
> >
> >How is the understanding of extended Key Usages in Root or CA
>certificates.
> >Specialy under the circumstance of certificate path validation. Therefor
i
> >think two opinions are possible:
> >
> >(1) the extended key usage is only usable for the use of the public key
> >itself and his direct usage i.e. signing of certificates etc. (view RFC
>2469
> >4.2.1.13 first sentence). So a root certificate dont need an extended
key
> >usage, because the public key will only be needed for path validation
and
> >signing of certificates and CRLs.
> >
> >(2) the public key is also needed for path validation, so an extended
key
> >usage can be used to restrict the use of sub and end entity
certificates.
> >
> >I have looked a bit around and found some CA certificates with extended
>key
> >usages, so its a bit confusing. Both way's are imagineable.
> >
> >Best Regards
> >Klaus Heyden
> >
> >
> >Dresdner Bank AG
> >D-60301 Frankfurt/Main
> >Klaus.Heyden@xxxxxxxxxxxxxxxxx
> >+49-(0)69-263-11126
> >+49-(0)69-263-15015