Re: Key usage. No, wait, *extended* key usage

At 3:43 PM -0500 2/5/98, David P. Kemp wrote:
> I believe that S/MIME software which supports the keyUsage and
> extendedKeyUsage extensions MUST always ensure that the above checks
> are done, regardless of whether the extensions are marked critical.
> The only question is whether the S/MIME cert profile mandates support
> for these extensions.
I suggest being conformant with the PKIX interpretation of this extension
(the OID must be present only if the extension is marked critical) for
three reasons:

 1. This is really a generalized cert validation issue, with S/MIME as the
        particular application in question, rather than being an S/MIME issue at
        its core. As such, it seems that being in agreement with PKIX is better
        than being different. (Although it certainly appears that stating this
        would not make S/MIME non-compliant with PKIX, as it includes an out for
        applications which would presumably also apply to protocol profiles.)

 2. If S/MIME makes the PKIX interpretation standard, CAs could force the
        behavior you request by making the extended key usage extension 
critical.

 3. If you specify it this way, any existing certificate which has an
        extended key usage field by which does not include this OID cannot be
        used for S/MIME. Since several other elements of the S/MIME certificate
        profile seem to have been designed to allow certs issued without the
        specific use of S/MIME in mind to be used with the protocol, this action
        would appear to be in conflict with current direction.

 - Tim

Tim Dierks - Software Haruspex - tim(_at_)dierks(_dot_)org
 "Well, cyberterrorists may be difficult to capture in the act, but from what I
  know about people who are highly skilled with computers, they should be easy
  to beat up." - Ernest Cey, quoted in The Onion, <http://www.theonion.com>