Re:-ipsec-pki-req-03 - EKU's
Rodney Thayer <rodney@ssh.fi> Wed, 27 October 1999 19:51 UTC
X-Persona: <a phoffman VPNC>
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA13380 for <paul.hoffman@vpnc.org>; Wed, 27 Oct 1999 12:51:10 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA05578 Wed, 27 Oct 1999 14:20:33 -0400 (EDT)
Message-Id: <3.0.6.32.19991027122417.00acf380@127.0.0.1>
X-Sender: rodney@127.0.0.1
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32)
Date: Wed, 27 Oct 1999 12:24:17 +0200
To: ipsec@lists.tislabs.com
From: Rodney Thayer <rodney@ssh.fi>
Subject: Re:-ipsec-pki-req-03 - EKU's
In-Reply-To: <38164C72.6E1A7A23@cs.stanford.edu>
References: <01E1D01C12D7D211AFC70090273D20B10197D71C@sothmxs06.entrust.com> <4.2.1.19991026092935.0302c5b0@mail.vpnc.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
X-UIDL: cc2cd5163ee52885947f5a46a20f5605
Regarding the EKU discussion... I originally put in two kinds of EKU's -- one for end systems and one for intermediate systems. It is my opinion that you want to be able to label a certificate with this information: -- it's for IPsec -- it's for an end system (only this machine) -- it's for a gateway ("intermediate") system (it can do IPsec for packets it forwards At the Binghampton bakeoff, we had a disscussion of this, and (a then-Cisco employee now working in Santa Cruz) complained this was too complicated, so the consensus was altered to have only one key usage for ipsec. Since Intermediate was at that time deployed, we chose that one. I still think we need the three factoids in the certificate, somehow. Per Paul Hoffman's arguments, which I wholeheartedly agree with (much to my disgust), we should use some PKIX-based style/format/oid/whatever to communicate these factoids, if in fact they should be conveyed in the certificate. I do not know of anyone REQUIRING EKU. I do know of multiple implementations of it today. So... I would suggest we put back the other EKU value (which, by the way, I got assigned by IANA already...) for ikeEndSystem. If there's a PKIX lawyer in the room, and they have some mechanism other than EKU that is more culturally compatible with PKIX, we should discuss that. As I understand it, EKU is a "PKIX-style" feature, though, so we're ok on that point. On the subject of "how many EKU's can you have", I don't think we should prohibit others, however I vaguely recall this was some sort of PKIX requirement. I myself have seen people wanting "swiss army certificates" which enable SSL, SMIME, IPsec, right turn on red without stopping, and all sorts of other features. I happen to think that's unsafe, but it does seem to be a requirement. I would like to allow multiple EKU's. At 05:51 PM 10/26/99 -0700, Brian Korver wrote: >Paul Hoffman wrote: >> >> At 04:35 PM 10/25/99 -0700, Brian Korver wrote: >> >Why require that extendedKeyUsage be mandatory at all? >> >> To identify the cert as being for IKE. I've been told that today's IKE >> systems use this OID as identification. I believe we should have *one* OID >> for all IKE implementations, and not try to slice and dice between "client" >> and "gateway" and so on. >> >> Are there any IPsec implementations using the IPsec OIDs specified in RFC >> 2459? Are there any implementations that require the use of other OIDs, >> like IKEend (1.3.6.1.5.5.8.2.1)? >> >Why is there a requirement to identify certificates as "for use with IKE"? > >BTW, I haven't heard of any implementations that require these IKE OIDs in >ExtendedKeyUsage. Perhaps someone else has.
- RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Greg Carter
- I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Internet-Drafts
- RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Greg Carter
- RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Linn, John
- RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Greg Carter
- Re: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Paul Hoffman
- Re: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Brian Korver
- Re:-ipsec-pki-req-03 - EKU's Rodney Thayer
- Re:-ipsec-pki-req-03 - EKU's Paul Hoffman
- Re: -ipsec-pki-req-03 - EKU's Brian Korver