Hi all I'm busy adding support for IPSEC server and client certificates to our certificate services portfolioand have run into a conflict between PKIX RFC2459 and draft-ietf-ipsec-pki-req-02.txt. Specifically, with regard to the OID's used in an ExtendedKeyUsage extension, there are two different proposals. PKIX has: id-kp-ipsecUser id-kp-ipsecTunnel id-kp-ipsecServer draft-ietf-ipsec-pki-req-02.txt has: iKEEnd iKEIntermediate Are these two complementary or conflicting? My immediate reaction based on experience in the SSL world is that it is very important to distinguish between servers and clients and so the PKIX mdoel makes more sense to me. Is this done differently in the draft-ietf-ipsec-pki-req-02.txt model? Do you use subjectAltNames for this (email vs domainname for example)? Also, we're very keen to test interoperability between our certs and your products. If you'd liek to do this please just let me know! Regards, -- Mark Shuttleworth Thawte
S/MIME Cryptographic Signature