[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec cert OID usage status ?
At 10:39 AM -0700 5/24/01, William Dixon wrote:
>What do people think a PKI vendor should support as the Extended Key
>Usage OIDs for certificates issued for use with IPSec ?
>
>>From prior bakeoffs, I recall that everyone agreed there would be only 1
>IPSec usage OID, the intermediate one as below, not the 3 that PKIX had
>previously defined. Rodney's old ipsec certificate profile draft
>suggested that the PKIX OIDs be deprecated. But that draft is expired.
>Consensus from the last bakeoff was also that people didn't want to
>agree on a particular set of requirements for cert usage in IPSec.
>
>IPSEC_KP_IKE_INTERMEDIATE "1.3.6.1.5.5.8.2.2"
>
>OID_PKIX_KP_IPSEC_END_SYSTEM "1.3.6.1.5.5.7.3.5"
>
>OID_PKIX_KP_IPSEC_TUNNEL "1.3.6.1.5.5.7.3.6"
>
>OID_PKIX_KP_IPSEC_USER "1.3.6.1.5.5.7.3.7"
>
Bill,
The next PKIX base standard (successor to 2459) will not contain any
Extended Key usage IDs. IPsec and other PKI-enabled protocols should
create documents to specify these values, and related profiles for
certs. In your list above, I can understand the first and second
examples, and maybe the fourth, but not the third, i.e., why would a
tunnel have a cert?
As for a consensus re NOT agreeing on a cert profile for IPsec, I
think this is a big mistake and would like to understand the
motivation behind such a statement.
Steve
References: