Re: un-*extended* key usage

Friends,

I worry that we may end up putting too many constraints on the SMIME
certificate(s)
that are not related to interoperability of the protocol. We originally
specified the 
key-usage and name extensions because they really (REALLY) did impact
interoperability. 
Almost all of the other useful X.509 extensions effect how the signature or
encrypted/random data is interpreted and/or used. For example, if I, as a
CA, issue certificates that are good for any number of protocols, it is
hard for me to beleive 
that SMIME (the protocol) really cares. Think of this in the 'Do I support
delta-CRLs' vain. I hope (pray) that we don't specify the CRL-ing technique
-- it's a CA policy decision. Much like what uses a particular certificate
is good for.

I vote to leave specific recommendations for extended key usage, beyond
what X.509 discusses for criticality and other stuff, out of the spec. If a
particular CA wants 
to require extended OIDs in their certiifcates, so be it. But that's one of
those 
CA 'policy kind of' things.

Pat