RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt

Greg Carter <greg.carter@entrust.com> Thu, 21 October 1999 21:40 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id OAA10040; Thu, 21 Oct 1999 14:40:39 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA04106 Thu, 21 Oct 1999 15:59:44 -0400 (EDT)
Message-ID: <01E1D01C12D7D211AFC70090273D20B10197D745@sothmxs06.entrust.com>
From: Greg Carter <greg.carter@entrust.com>
To: "'Linn, John'" <jlinn@rsasecurity.com>, Greg Carter <greg.carter@entrust.com>, ipsec@lists.tislabs.com
Subject: RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt
Date: Thu, 21 Oct 1999 15:59:38 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

Hi John,
You are right, it can still have multiple values even if critical, sorry for
the confusion.
Bye.
Greg Carter
Entrust Technologies - http://www.entrust.com
http://www.ford-trucks.com/articles/buildup/dana60.html


-----Original Message-----
From: Linn, John [mailto:jlinn@rsasecurity.com]
Sent: Thursday, October 21, 1999 3:13 PM
To: 'Greg Carter'; ipsec@lists.tislabs.com
Subject: RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt


Greg wrote, excerpting: 
> it must only have one value.  Therefore you could remove the "and MUST
> contain only the object identifier iKEIntermediate..." since 
> that would be
> covered by PKIX RFC 2459 section 4.2.1.13 for critical 
> extended key usage
> extensions.

I'm not sure I follow this. RFC-2459, 4.2.1.13, states re EKU that: "If the
extension is flagged critical, then the certificate MUST be used only for
one of the purposes indicated."  This doesn't preclude coexistence of
IPsec's iKEIntermediate OID as one value in a critical EKU along with other
OIDs belonging to other applications.