Re: IPSec cert OID usage status ?

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

<cranky mood about PKI>

At 10:39 AM -0700 5/24/01, William Dixon wrote:
>What do people think a PKI vendor should support as the Extended Key
>Usage OIDs for certificates issued for use with IPSec ?

I used to have a strong opinion on this. Then I asked the vendors. 
Everyone does something different, except for the large number who do 
nothing at all.

>  >From prior bakeoffs, I recall that everyone agreed there would be only 1
>IPSec usage OID, the intermediate one as below, not the 3 that PKIX had
>previously defined.

Right. Except those who said "we'll accept anything because we don't 
really understand PKI anyway".

>   Rodney's old ipsec certificate profile draft
>suggested that the PKIX OIDs be deprecated.  But that draft is expired.

There was no interest in it. At this point, I'm the responsible party 
for letting it die. I'm hoping that Dan Harkins will put this in the 
son-of-IKE document, if that document ever gets started.

>Consensus from the last bakeoff was also that people didn't want to
>agree on a particular set of requirements for cert usage in IPSec.

Correct.

</cranky mood about PKI>

--Paul Hoffman, Director
--VPN Consortium

---

References:

• IPSec cert OID usage status ?
• From: "William Dixon" <WDIXON@Exchange.Microsoft.com>

---

• Prev by Date: Re: IPSec cert OID usage status ?
• Next by Date: RE: IPSec cert OID usage status ?
• Prev by thread: Re: IPSec cert OID usage status ?
• Next by thread: RE: IPSec cert OID usage status ?
• Index(es):
  • Main
  • Thread