[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

questions re: pki ExtendedKeyUsage

To: rodney@unitran.com
Subject: questions re: pki ExtendedKeyUsage
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 19 Nov 1998 15:47:34 -0500
cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

  On page 10 of the IPsec PKI requirements, you write:

            3. ExtendedKeyUsage SHOULD be checked to ensure the certificate
               is valid for the system in question, including the
               criticality fields.  This extension MUST be treated as
               critical.

  a) which "system" is the system in question?
  b) does this mean that the key should be a signing key, or an
encryption key, or...
  I think you mean:
	If RSA (DSS) Signature mode is to be used, the
	ExtendedKeyUsage should include signatures.
	If RSA Encryption mode is to be used, the ExtendedKeyUsage
	should include encryption.

  I think we also agreed awhile ago that the key should say
"signature" even if the key will be ultimately used to establish an
encrypted session.  I imagine you say this somewhere, but I haven't
found it yet.

]     Internet Security. Have encryption, will travel           |1 Fish/2 Fish[
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |Red F./Blow F[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

Prev by Date: RE: FW: IPSec Monitoring MIB works for IPv4 only?
Next by Date: RE: FW: IPSec Monitoring MIB works for IPv4 only?
Prev by thread: Re: IPv6 in the IPSec MIB
Next by thread: RE: questions re: pki ExtendedKeyUsage
Index(es):
- Main
- Thread