Re: Key usage. No, wait, *extended* key usage
1998-02-05 14:43:14
At 3:43 PM -0500 2/5/98, David P. Kemp wrote:
I believe that S/MIME software which supports the keyUsage and
extendedKeyUsage extensions MUST always ensure that the above checks
are done, regardless of whether the extensions are marked critical.
The only question is whether the S/MIME cert profile mandates support
for these extensions.
I suggest being conformant with the PKIX interpretation of this extension
(the OID must be present only if the extension is marked critical) for
three reasons:
1. This is really a generalized cert validation issue, with S/MIME as the
particular application in question, rather than being an S/MIME issue at
its core. As such, it seems that being in agreement with PKIX is better
than being different. (Although it certainly appears that stating this
would not make S/MIME non-compliant with PKIX, as it includes an out for
applications which would presumably also apply to protocol profiles.)
2. If S/MIME makes the PKIX interpretation standard, CAs could force the
behavior you request by making the extended key usage extension
critical.
3. If you specify it this way, any existing certificate which has an
extended key usage field by which does not include this OID cannot be
used for S/MIME. Since several other elements of the S/MIME certificate
profile seem to have been designed to allow certs issued without the
specific use of S/MIME in mind to be used with the protocol, this action
would appear to be in conflict with current direction.
- Tim
Tim Dierks - Software Haruspex - tim(_at_)dierks(_dot_)org
"Well, cyberterrorists may be difficult to capture in the act, but from what I
know about people who are highly skilled with computers, they should be easy
to beat up." - Ernest Cey, quoted in The Onion, <http://www.theonion.com>
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Key usage. No, wait, *extended* key usage, Blake Ramsdell
- Re: Key usage. No, wait, *extended* key usage, John Pawling
- Re: Key usage. No, wait, *extended* key usage, David P. Kemp
- Re: Key usage. No, wait, *extended* key usage,
Tim Dierks <=
- Re: Key usage. No, wait, *extended* key usage, John Pawling
- RE: Key usage. No, wait, *extended* key usage, Blake Ramsdell
- RE: Key usage. No, wait, *extended* key usage, John Pawling
- RE: Key usage. No, wait, *extended* key usage, Blake Ramsdell
- RE: Key usage. No, wait, *extended* key usage, Blake Ramsdell
- Re: Key usage. No, wait, *extended* key usage, David P. Kemp
- RE: Key usage. No, wait, *extended* key usage, John Pawling
- RE: Key usage. No, wait, *extended* key usage, Jim Schaad (Exchange)
- RE: Key usage. No, wait, *extended* key usage, John Pawling
|
Previous by Date: |
RE: Key usage. No, wait, *extended* key usage, John Pawling |
Next by Date: |
RE: Key usage. No, wait, *extended* key usage, Blake Ramsdell |
Previous by Thread: |
Re: Key usage. No, wait, *extended* key usage, David P. Kemp |
Next by Thread: |
Re: Key usage. No, wait, *extended* key usage, John Pawling |
Indexes: |
[Date]
[Thread]
[Top]
[All Lists] |
|
|