[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSec cert OID usage status ?
William,
Dropping the OIDs from 2459bis is not deprecating them, just not
continuing to publish them in PKIX. It does not make sense for PKIX
to include these values, and the analogous values for TLS and S/MIME,
it its standards.
A cert profile for Ipsec is definitely an IPsec WG action, if one
wishes to have one.
The extended key usage extension allows each application to decide
how to make use of these OIDs, so there is no implication that one
would need separate certs for end systems vs. security gateways,
although one might choose to make such a distinction. It's really up
to a PKI-enabled application to decide what it needs and the specify
it. Of the examples you gave, the one that did not seem to make
sense to me was the tunnel example.
There's a lot more to a profile than what is covered by proper path
validation, and it would be appropriate to have a spec that says that
PKIX-specified path validation was defined as the appropriate base,
for example. One could make statements about whether CRLs, OCSP
responses or both had to be supported. One could put into the profile
(vs. putting some in the profile and some in IKE) what alt name forms
are acceptable/required to be supported. One could choose to
discourage use of extensions that don't seem appropriate, to simplify
the PKi context for IPsec, ...
Steve
References: