Quick question re Extended Key Usage and VPNs

["Dean Adams" <da@xxxxxxxxxxx>]

Hi,
	Just some quick questions which I hope that someone will be able to answer
definitively based on practical experience.

Three Extended Key Usage OIDs are defined by PKIX that are relevant to the
support of VPNs:
OID_PKIX_KP_IPSEC_END_SYSTEM   1.3.6.1.5.5.7.3.5
OID_PKIX_KP_IPSEC_TUNNEL       1.3.6.1.5.5.7.3.6
OID_PKIX_KP_IPSEC_USER         1.3.6.1.5.5.7.3.7

plus one that appears to have been proposed by Microsoft (could be wrong
here):
iKEIntermediate                1.3.6.1.5.5.8.2.2
although I note that Microsoft certificate manager module does not appear to
recognise the latter as a named Extended Key Usage (it does recognise the
PKIX values)

What in your opinion should be set for VPN concentrators such as Cisco etc
and what should be set for end user VPN clients such as MS VPN client etc.?
Various sources seem to suggest that the iKEIntermediate value is required
in many cases, including the ICSA Labs IPSEC Certificate Profile used for
interoperability testing.

There appears to be no clear guidance on this and other aspects of
certificate profiles relating to VPN usage (e.g. key usage, naming,
subjectAlternateName).

I have some temporary working certificate profiles, but I suspect these may
be unnecessarily lax in allowing more than is actually required in VPN
operations.  Any comments based on practical observations would be greatly
appreciated. I do understand that this is not the normal function of this
group and email list, but given that there would appear to be no generallly
accepted standard for a certificate profile in this space and that probably
a lot of expertise exists on this list to suggest recommended settings, I
thought I'd take a punt.

	Many Thanks for your time
	Dean Adams