Re: draft-ietf-pkix-rfc3770bis-01: key usage extension
Russ Housley <housley@vigilsec.com> Fri, 15 April 2005 16:03 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA16723 for <pkix-archive@lists.ietf.org>; Fri, 15 Apr 2005 12:03:30 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j3FFINJP081842; Fri, 15 Apr 2005 08:18:23 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j3FFINoK081841; Fri, 15 Apr 2005 08:18:23 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.243.4]) by above.proper.com (8.12.11/8.12.9) with SMTP id j3FFIMhb081834 for <ietf-pkix@imc.org>; Fri, 15 Apr 2005 08:18:22 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 16797 invoked by uid 0); 15 Apr 2005 14:38:56 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.14.33) by woodstock.binhost.com with SMTP; 15 Apr 2005 14:38:56 -0000
Message-Id: <6.2.0.14.2.20050415103508.08d3bb50@mail.binhost.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14
Date: Fri, 15 Apr 2005 10:38:24 -0400
To: ietf-pkix@imc.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: draft-ietf-pkix-rfc3770bis-01: key usage extension
In-Reply-To: <200504150810.j3F8Aja03429@chandon.edelweb.fr>
References: <200504150810.j3F8Aja03429@chandon.edelweb.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Peter:
You are the one that complained that there was not discussion of the key
usage extension. I am happy to delete the whole paragraph ... you are the
one who asked for the topic to be covered.
How about this:
If a certificate contains a key usage extension, the KeyUsage bits
that are needed depends on the EAP method that is employed.
Russ
At 04:10 AM 4/15/2005, Peter Sylvester wrote:
> > >
> > >take a cert with all bit on. This is equivalent to having no keyUsage
> at all
> > >as far as I remember. in this case the keyCertSign bit and the cRLSign
> are
> > >set,
> > >and the above 'MUST NOT' prohibits use of this cert. is this what you
> intend?
> > >I don't think so.
> > >
> > >Isn't the right wording: no known EAP usage requires keyCertSign or
> cRLSign?
> >
> > How about: ... however, EAP methods MUST NOT require the keyCertSign bit or
> > the cRLSign to be set in end entity certificates.
>
>
>- the initial text had no keyUsage restriction.
>
>- the current has a restriction that technically doesn't make any
> sense and is incompatible with the standard.
>
>- Above you propose something that is a restriction for EAP methods
> which was not in 3770. Can you justify this change, please.
>
>
>Peter
>PS: Would it be possible to instruct your mail user agent not to send
>me two copies just because I am twice in the To list, or else. Thanks
- Re: draft-ietf-pkix-rfc3770bis-01: key usage exte… Peter Sylvester
- Re: draft-ietf-pkix-rfc3770bis-01: key usage exte… Russ Housley
- Re: draft-ietf-pkix-rfc3770bis-01: key usage exte… Peter Sylvester
- Re: draft-ietf-pkix-rfc3770bis-01: key usage exte… Russ Housley
- Re: draft-ietf-pkix-rfc3770bis-01: key usage exte… Peter Sylvester
- Re: draft-ietf-pkix-rfc3770bis-01: key usage exte… Peter Sylvester