RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt
"Linn, John" <jlinn@rsasecurity.com> Thu, 21 October 1999 20:41 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id NAA09119; Thu, 21 Oct 1999 13:41:56 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA03976 Thu, 21 Oct 1999 15:17:37 -0400 (EDT)
Message-ID: <D104150098E6D111B7830000F8D90AE8AE58AC@exna02.securitydynamics.com>
From: "Linn, John" <jlinn@rsasecurity.com>
To: 'Greg Carter' <greg.carter@entrust.com>, ipsec@lists.tislabs.com
Subject: RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt
Date: Thu, 21 Oct 1999 15:13:26 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Greg wrote, excerpting: > > From section 3.1 The extendedKeyUsage field: > > "In a certificate for an IPsec end entity, the extendedKeyUsage field > commonly called "EKU") MUST be present and MUST contain only > the object > identifier iKEIntermediate > (iso.org.dod.internet.security.mechanisms.ipsec.certificate.2, or > 1.3.6.1.5.5.8.2.2). An IKE system that conforms to this > profile SHOULD NOT > accept end-entity certificates that do not follow this rule." > > Why must the certificate only have the one extended key > usage? This is too > restrictive. I strongly agree, in the interests of avoiding unnecessary proliferation of per-application certificates. Is there a compelling reason which warrants erecting a barrier so that certificates which are to be usable for IPsec purposes must not be used by other applications, at least if those other applications also employ EKUs? I like the idea of only having one IPSec > extended key usage > bit though. Could we stick with PKIX and say that if flagged > critical then > it must only have one value. Therefore you could remove the "and MUST > contain only the object identifier iKEIntermediate..." since > that would be > covered by PKIX RFC 2459 section 4.2.1.13 for critical > extended key usage > extensions. I'm not sure I follow this. RFC-2459, 4.2.1.13, states re EKU that: "If the extension is flagged critical, then the certificate MUST be used only for one of the purposes indicated." This doesn't preclude coexistence of IPsec's iKEIntermediate OID as one value in a critical EKU along with other OIDs belonging to other applications. --jl
- RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Greg Carter
- I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Internet-Drafts
- RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Greg Carter
- RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Linn, John
- RE: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Greg Carter
- Re: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Paul Hoffman
- Re: I-D ACTION:draft-ietf-ipsec-pki-req-03.txt Brian Korver
- Re:-ipsec-pki-req-03 - EKU's Rodney Thayer
- Re:-ipsec-pki-req-03 - EKU's Paul Hoffman
- Re: -ipsec-pki-req-03 - EKU's Brian Korver