RE: Key usage. No, wait, *extended* key usage

John,

> I agree with your suggestion to add wording like:  "Prior to using the
> public key included in a certificate to support S/MIME 
> security services, if
> the extendedKeyUsage extension is present in the certificate and is
> indicated as being critical, then the S/MIME software MUST 
> ensure that the
> id-kp-emailProtection OID is present.  This check is only 
> required for the
> end-entity certificates."
The above is not the way that I had read the docs and how
extendedKeyUsage would/should be evaluated,  I am curious why you think
that only the end-entity certificate should be checked?  I had thought
that the entire chain should be checked even though I did not really
expect to see any extendedKeyUsage extensions once I got off the
end-entity certificate.

I can see the case occuring where a super-CA might say that this CA can
only be used for issuing certifiate with the e-mail purpose and I am not
sure this should be so explicity disabled.

jim