[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: questions re: pki ExtendedKeyUsage
Hi,
I think you are confusing ExtendedKeyUsage with KeyUsage.
Here the ExtendedKeyUsage extensions is used to say "IPSEC key". KeyUsage
is still used to identify the key as digitalSignature, keyEnchipherment,
etc...
Bye.
----
Greg Carter, Entrust Technologies
greg.carter@entrust.com
> ----------
> From: Michael Richardson[SMTP:mcr@sandelman.ottawa.on.ca]
> Sent: Thursday, November 19, 1998 3:47 PM
> To: rodney@unitran.com
> Cc: ipsec@tis.com
> Subject: questions re: pki ExtendedKeyUsage
>
> On page 10 of the IPsec PKI requirements, you write:
>
> 3. ExtendedKeyUsage SHOULD be checked to ensure the
> certificate
> is valid for the system in question, including the
> criticality fields. This extension MUST be treated as
> critical.
>
> a) which "system" is the system in question?
> b) does this mean that the key should be a signing key, or an
> encryption key, or...
> I think you mean:
> If RSA (DSS) Signature mode is to be used, the
> ExtendedKeyUsage should include signatures.
> If RSA Encryption mode is to be used, the ExtendedKeyUsage
> should include encryption.
>
> I think we also agreed awhile ago that the key should say
> "signature" even if the key will be ultimately used to establish an
> encrypted session. I imagine you say this somewhere, but I haven't
> found it yet.
>
> ] Internet Security. Have encryption, will travel |1 Fish/2
> Fish[
> ] Michael Richardson, Sandelman Software Works, Ottawa, ON |Red
> F./Blow F[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong
> crypto[
> ] panic("Just another NetBSD/notebook using, kernel hacking, security
> guy"); [
>
>
>
>
>
>
>