At 1:04 AM -0800 2/5/98, Blake Ramsdell wrote:
What to do about extendedKeyUsage? Do we require that
id-kp-emailProtection MUST be set if extendedKeyUsage is present,
otherwise don't use the certificate? This object identifier seems to
apply to us.
Based on PKIX, I believe the correct thing to do is to require that
id-kp-emailProtection MUST be set if the extended key usage extension is
marked as critical. If the extension is not marked as critical, the key
purpose values are only advisory, but they are useful for deciding which of
several certificates is the appropriate one for email protection.
- Tim
Tim Dierks - Software Haruspex - tim(_at_)dierks(_dot_)org
"Well, cyberterrorists may be difficult to capture in the act, but from what I
know about people who are highly skilled with computers, they should be easy
to beat up." - Ernest Cey, quoted in The Onion, <http://www.theonion.com>