Re: IPSec cert OID usage status ?

[Stephen Kent <kent@bbn.com>]

At 10:39 AM -0700 5/24/01, William Dixon wrote:
>What do people think a PKI vendor should support as the Extended Key
>Usage OIDs for certificates issued for use with IPSec ? 
>
>>From prior bakeoffs, I recall that everyone agreed there would be only 1
>IPSec usage OID, the intermediate one as below, not the 3 that PKIX had
>previously defined.  Rodney's old ipsec certificate profile draft
>suggested that the PKIX OIDs be deprecated.  But that draft is expired.
>Consensus from the last bakeoff was also that people didn't want to
>agree on a particular set of requirements for cert usage in IPSec.
>
>IPSEC_KP_IKE_INTERMEDIATE "1.3.6.1.5.5.8.2.2"
>
>OID_PKIX_KP_IPSEC_END_SYSTEM  "1.3.6.1.5.5.7.3.5"
>
>OID_PKIX_KP_IPSEC_TUNNEL      "1.3.6.1.5.5.7.3.6"
>
>OID_PKIX_KP_IPSEC_USER        "1.3.6.1.5.5.7.3.7"
>

Bill,

The next PKIX base standard (successor to 2459) will not contain any 
Extended Key usage IDs. IPsec and other PKI-enabled protocols should 
create documents to specify these values, and related profiles for 
certs. In your list above, I can understand the first and second 
examples, and maybe the fourth, but not the third, i.e., why would a 
tunnel have a cert?

As for a consensus re NOT agreeing on a cert profile for IPsec, I 
think this is a big mistake and would like to understand the 
motivation behind such a  statement.

Steve

---

References:

• IPSec cert OID usage status ?
• From: "William Dixon" <WDIXON@Exchange.Microsoft.com>

---

• Prev by Date: IPSec cert OID usage status ?
• Next by Date: Re: IPSec cert OID usage status ?
• Prev by thread: IPSec cert OID usage status ?
• Next by thread: Re: IPSec cert OID usage status ?
• Index(es):
  • Main
  • Thread