[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
questions re: pki ExtendedKeyUsage
On page 10 of the IPsec PKI requirements, you write:
3. ExtendedKeyUsage SHOULD be checked to ensure the certificate
is valid for the system in question, including the
criticality fields. This extension MUST be treated as
critical.
a) which "system" is the system in question?
b) does this mean that the key should be a signing key, or an
encryption key, or...
I think you mean:
If RSA (DSS) Signature mode is to be used, the
ExtendedKeyUsage should include signatures.
If RSA Encryption mode is to be used, the ExtendedKeyUsage
should include encryption.
I think we also agreed awhile ago that the key should say
"signature" even if the key will be ultimately used to establish an
encrypted session. I imagine you say this somewhere, but I haven't
found it yet.
] Internet Security. Have encryption, will travel |1 Fish/2 Fish[
] Michael Richardson, Sandelman Software Works, Ottawa, ON |Red F./Blow F[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [