[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
question on intermediate CA extended key usage
Another possible bug-a-boo...
The routine checkExtKeyUsage() appears to insist that intermediate CA
certs either do not have an extended key usage field, or that if present
that it contains the anyExtendedKeyUsage value.
I've read through RFC3280 section 4.2.1.13 ("Extended Key Usage") a few
times.. It does say
" In general, this extension will appear only in end entity certificates."
It also says
" If a CA includes extended key usages to satisfy such applications,
but does not wish to restrict usages of the key, the CA can include
the special keyPurposeID anyExtendedKeyUsage. If the
anyExtendedKeyUsage keyPurposeID is present, the extension SHOULD NOT
be critical."
But I don't read either of those as saying it is an error for an
intermediate CA to include the extension and pick a finite list of allowed
key usages.
Is there something else I missed that enacts such a rule?
I have found at least one commercial CA vendor that is participating with
the FBCA that does populate this extension with a finite list that doesn't
include anyExtendedKeyUsage.
Best regards,
- Ken Stillson
--
| Ken Stillson | stillson@xxxxxxxxxxxx |
| Sr. Principal Engineer | voice: (703) 610-2965 |
| Mitretek Systems | fax: (703) 610-2399 |