[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt

To: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt
From: Brian Korver <briank@CS.Stanford.EDU>
Date: Tue, 26 Oct 1999 17:51:02 -0700
CC: ipsec@lists.tislabs.com
References: <01E1D01C12D7D211AFC70090273D20B10197D71C@sothmxs06.entrust.com> <4.2.1.19991026092935.0302c5b0@mail.vpnc.org>
Sender: owner-ipsec@lists.tislabs.com

Paul Hoffman wrote:
> 
> At 04:35 PM 10/25/99 -0700, Brian Korver wrote:
> >Why require that extendedKeyUsage be mandatory at all?
> 
> To identify the cert as being for IKE. I've been told that today's IKE
> systems use this OID as identification. I believe we should have *one* OID
> for all IKE implementations, and not try to slice and dice between "client"
> and "gateway" and so on.
> 
> Are there any IPsec implementations using the IPsec OIDs specified in RFC
> 2459? Are there any implementations that require the use of other OIDs,
> like IKEend (1.3.6.1.5.5.8.2.1)?
> 
> --Paul Hoffman, Director
> --VPN Consortium

Paul,

Why is there a requirement to identify certificates as "for use with IKE"?

BTW, I haven't heard of any implementations that require these IKE OIDs in
ExtendedKeyUsage.  Perhaps someone else has.

brian
briank@cs.stanford.edu      (play)
briank@network-alchemy.com  (work)

Follow-Ups:

Re:-ipsec-pki-req-03 - EKU's

From: Rodney Thayer <rodney@ssh.fi>

References:

RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt

From: Greg Carter <greg.carter@entrust.com>

Re: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt

From: Paul Hoffman <paul.hoffman@vpnc.org>

Prev by Date: Re: Comments on CRACK
Next by Date: multi-layer IPSEC draft
Prev by thread: Re: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt
Next by thread: Re:-ipsec-pki-req-03 - EKU's
Index(es):
- Main
- Thread