RE: IPSec cert OID usage status ?

[Stephen Kent <kent@bbn.com>]

William,

Dropping the OIDs from 2459bis is not deprecating them, just not 
continuing to publish them in PKIX. It does not make sense for PKIX 
to include these values, and the analogous values for TLS and S/MIME, 
it its standards.

A cert profile for Ipsec is definitely an IPsec WG action, if one 
wishes to have one.

The extended key usage extension allows each application to decide 
how to make use of these OIDs, so there is no implication that one 
would need separate certs for end systems vs. security gateways, 
although one might choose to make such a distinction. It's really up 
to a PKI-enabled application to decide what it needs and the specify 
it.  Of the examples you gave, the one that did not seem to make 
sense to me was the tunnel example.

There's a lot more to a profile than what is covered by proper path 
validation, and it would be appropriate to have a spec that says that 
PKIX-specified path validation was defined as the appropriate base, 
for example. One could make statements about whether CRLs, OCSP 
responses or both had to be supported. One could put into the profile 
(vs. putting some in the profile and some in IKE) what alt name forms 
are acceptable/required to be supported. One could choose to 
discourage use of extensions that don't seem appropriate, to simplify 
the PKi context for IPsec, ...

Steve

---

References:

• RE: IPSec cert OID usage status ?
• From: "William Dixon" <wdixon@windows.microsoft.com>

---

• Prev by Date: IPSec over satellite
• Next by Date: Re: AES, AES-MAC
• Prev by thread: RE: IPSec cert OID usage status ?
• Next by thread: IPSec over satellite
• Index(es):
  • Main
  • Thread