[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt
Hi John,
You are right, it can still have multiple values even if critical, sorry for
the confusion.
Bye.
Greg Carter
Entrust Technologies - http://www.entrust.com
http://www.ford-trucks.com/articles/buildup/dana60.html
-----Original Message-----
From: Linn, John [mailto:jlinn@rsasecurity.com]
Sent: Thursday, October 21, 1999 3:13 PM
To: 'Greg Carter'; ipsec@lists.tislabs.com
Subject: RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt
Greg wrote, excerpting:
> it must only have one value. Therefore you could remove the "and MUST
> contain only the object identifier iKEIntermediate..." since
> that would be
> covered by PKIX RFC 2459 section 4.2.1.13 for critical
> extended key usage
> extensions.
I'm not sure I follow this. RFC-2459, 4.2.1.13, states re EKU that: "If the
extension is flagged critical, then the certificate MUST be used only for
one of the purposes indicated." This doesn't preclude coexistence of
IPsec's iKEIntermediate OID as one value in a critical EKU along with other
OIDs belonging to other applications.