Re: draft-ietf-pkix-rfc3770bis-01: key usage extension
Peter Sylvester <Peter.Sylvester@edelweb.fr> Thu, 14 April 2005 17:22 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA03864 for <pkix-archive@lists.ietf.org>; Thu, 14 Apr 2005 13:22:40 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j3EGakcS038851; Thu, 14 Apr 2005 09:36:46 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j3EGakmf038850; Thu, 14 Apr 2005 09:36:46 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j3EGaicW038840 for <ietf-pkix@imc.org>; Thu, 14 Apr 2005 09:36:45 -0700 (PDT) (envelope-from Peter.Sylvester@edelweb.fr)
Received: from chandon.edelweb.fr (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id j3EGahn25792; Thu, 14 Apr 2005 18:36:43 +0200 (MEST)
Received: from chandon.edelweb.fr (chandon.edelweb.fr [193.51.14.162]) by edelweb.fr (nospam/2.0); Thu, 14 Apr 2005 18:36:43 +0200 (MET DST)
Received: (from peter@localhost) by chandon.edelweb.fr (8.11.7p1+Sun/8.11.7) id j3EGafb02347; Thu, 14 Apr 2005 18:36:41 +0200 (MEST)
Date: Thu, 14 Apr 2005 18:36:41 +0200
From: Peter Sylvester <Peter.Sylvester@edelweb.fr>
Message-Id: <200504141636.j3EGafb02347@chandon.edelweb.fr>
To: Peter.Sylvester@edelweb.fr, housley@vigilsec.com
Subject: Re: draft-ietf-pkix-rfc3770bis-01: key usage extension
Cc: ietf-pkix@imc.org
X-Sun-Charset: US-ASCII
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
> > > > >2 *** > > > > > > > > If a certificate contains a key usage extension, the KeyUsage bits > > > > that are needed depends on the EAP method that is employed; however, > > > > the keyCertSign bit and the cRLSign MUST NOT be associated with EAP > > > > method end entity certificates. > > > > > > > >This means that you cannot have a certificat WITHOUT keyUsage? > > > >Or, in case of a certificate without keyUsage, you could use it > > > >for CrlSigning? > > > > > > No. The paragraph only talks about the key usage extension in support of > > > EAP methods. The question you are asking is beyond the scope of the > > > paragraph and the whole document. > > > > > > >oops, I made a mistake. i wanted to ask "could you use a certificate > >that has no keyUsage for EAP methods?' > > Yes. In this case, the certificate is not providing any constraints on the > key usage. > > Russ take a cert with all bit on. This is equivalent to having no keyUsage at all as far as I remember. in this case the keyCertSign bit and the cRLSign are set, and the above 'MUST NOT' prohibits use of this cert. is this what you intend? I don't think so. Isn't the right wording: no known EAP usage requires keyCertSign or cRLSign?
- Re: draft-ietf-pkix-rfc3770bis-01: key usage exte… Peter Sylvester
- Re: draft-ietf-pkix-rfc3770bis-01: key usage exte… Russ Housley
- Re: draft-ietf-pkix-rfc3770bis-01: key usage exte… Peter Sylvester
- Re: draft-ietf-pkix-rfc3770bis-01: key usage exte… Russ Housley
- Re: draft-ietf-pkix-rfc3770bis-01: key usage exte… Peter Sylvester
- Re: draft-ietf-pkix-rfc3770bis-01: key usage exte… Peter Sylvester