[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: End-Entity Certificate Policies

To: Michael Myers <MMyers@xxxxxxxxxxxx>
Subject: Re: End-Entity Certificate Policies
From: thayes@xxxxxxxxxxxx (Terry Hayes)
Date: Fri, 03 Sep 1999 10:04:27 -0700
Cc: "Solo David" <david.solo@xxxxxxxxxxxx>, housley@xxxxxxxxxx, ietf-pkix@xxxxxxx
References: <>

Michael (and David),

For one, I don't think the Extended Key Usage plays a part in validating the
certificate chain.  Therefore any CA could put the desired Extended Key Usage
into the EE certificate.  The advantage of using Certificate Policies is that
the chain validation checks the right of the CAs to issue the certificates at
each level.

Terry

Michael Myers wrote:

> Dave,
>
> Why not use Extended Key Usage to meet requirements on use-specific
> constraints as you note below (e.g. "OK for email; OK for transactions; OK
> for intranet access; OK for online banking; etc.") and leave Certificate
> Policies to assert a metric on the reliability of a certificate, regardless
> of intended use?  As we know, there is at least one instance of the use of
> EKU that has the proven the utility of the concept on a broadly deployable
> basis.
>
> Mike
>
> > -----Original Message-----
> > From: Solo, David [mailto:david.solo@citicorp.com]
> > Sent: Thursday, September 02, 1999 9:12 AM
> > To: housley@spyrus.com; ietf-pkix@imc.org
> > Subject: RE: End-Entity Certificate Policies
> >
> >
> > Just adding my voice to the chorus - I'd strongly object to
> > limiting EE certs
> > to a single policy OID.  One of the planned deployment models
> > uses policy OIDs
> > as applicability labels (OK for email; OK for transactions;
> > Ok for intranet
> > access; OK for online banking; etc.)  These policy OIDs may well be
> > standardized across multiple issuers/organizations.  Thus, a
> > given cert may
> > well have multiple such OIDs present (loosely like having
> > multiple card network
> > logos on the back of your ATM/credit card) if approved for
> > multiple purposes.
> > This model also makes RP configuration much simpler.
> >
> > As to policy qualifiers, you can deprecate them everywhere as
> > far as I'm
> > concerned.
> >
> > Dave
> >
> > > -----Original Message-----
> > > From: housley [mailto:housley@spyrus.com]
> > > Sent: Tuesday, August 31, 1999 4:57 PM
> > > To: ietf-pkix
> > > Cc: housley
> > > Subject: End-Entity Certificate Policies
> > >
> > >
> > > Tim Polk and I got together today to discuss the changes
> > > needed to address
> > > the policy mapping bug (as discussed at the Oslo meeting).
> > > As part of this
> > > discussion, we discussed the certificate policy extension.
> > >
> > > We believe that a CA certificate may contain one or more
> > > certificate policy
> > > OID.  On the other hand, we believe that an end-entity certificate
> > > containing a certificate policy extension must  contain a single
> > > certificate policy OID.  RFC 2459 says:
> > >
> > >     The certificate policies extension contains a sequence of
> > > one or more
> > >     policy information terms, each of which consists of an object
> > >     identifier (OID) and optional qualifiers.  These policy
> > > information
> > >     terms indicate the policy under which the certificate has
> > > been issued
> > >     and the purposes for which the certificate may be used.
> >  Optional
> > >     qualifiers, which may be present, are not expected to change the
> > >     definition of the policy.
> > >
> > > We would like to add words to make it more clear that an end-entity
> > > certificate may only contain a single certificate policy OID.  The
> > > explanation of this extension's purpose in a CA certificate
> > > was not spelled
> > > out, so we propose to fix that too.  Our proposed text is:
> > >
> > >     The certificate policies extension contains a sequence of
> > > one or more
> > >     policy information terms, each of which consists of an object
> > >     identifier (OID) and optional qualifiers.  In an
> > > end-entity certificate,
> > >     these policy information terms indicate the single policy
> > > under which
> > >     the certificate has been issued and the purposes for
> > > which the certificate
> > >     may be used.  In a CA certificate,  these policy
> > information terms
> > >     limit the set of policies for certification paths which
> > > include this
> > >     certificate.  Optional qualifiers, which may be present, are not
> > >     expected to change the definition of the policy.
> > >
> > > Does anyone disagree?
> > >
> > > Tim and I also discussed certificate policy qualifiers.  Tim
> > > and I agree
> > > that certificate policy qualifiers should only appear in end-entity
> > > certificates.  That is, we agree that certificate policy
> > > qualifier should
> > > never appear in a CA certificate.  Does anyone (besides Mike
> > > Baum) disagree?
> > >
> > > Russ
> > >
> >

References:
- RE: End-Entity Certificate Policies
  - From: Michael Myers

Prev by Date: RE: End-Entity Certificate Policies
Next by Date: NR bit absence, was Re: Deprecate the NR bit?
Previous by thread: RE: End-Entity Certificate Policies
Next by thread: RE: End-Entity Certificate Policies
Index(es):
- Date
- Thread