IETF Logo Mail Archive

Re: Extended Key Usage Extension

Tim Dierks <timd@consensus.com> Fri, 11 April 1997 00:54 UTC

Received: by suntan.tandem.com (8.6.12/suntan5.970212) for ietf-pkix-relay id RAA02762; Thu, 10 Apr 1997 17:54:46 -0700
Received: from proxy3.ba.best.com by suntan.tandem.com (8.6.12/suntan5.970212) for <ietf-pkix@tandem.com> id RAA02758; Thu, 10 Apr 1997 17:54:45 -0700
Received: from [199.81.221.188] (ietfguest88.fedex.net [199.81.221.188]) by proxy3.ba.best.com (8.8.5/8.8.3) with ESMTP id RAA16213; Thu, 10 Apr 1997 17:50:12 -0700 (PDT)
Message-Id: <v03020703af71e603dd3c@[199.81.221.188]>
In-Reply-To: <3.0.32.19970410115024.0073b384@pop.a001.sprintmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 09 Apr 1997 19:51:26 -0500
To: Warwick Ford <wford@verisign.com>
From: Tim Dierks <timd@consensus.com>
Subject: Re: Extended Key Usage Extension
Cc: ietf-pkix@tandem.com

At 11:50 AM -0700 4/10/97, Warwick Ford wrote:
>id-kp-serverAuth			OBJECT IDENTIFIER	::=	{id-kp 1}
>-- TLS Web server authentication
>-- Key usage bits that may be consistent: keyEncipherment or keyAgreement
>id-kp-clientAuth			OBJECT IDENTIFIER	::=	{id-kp 2}
>-- TLS Web client authentication
>-- Key usage bits that may be consistent: digitalSignature

Warwick, thank you for this proposal.

First, the minor note: id-kp-serverAuth is also consistent with
digitalSignature, for modes in which the server signs an ephemeral RSA or
Diffie-Hellman key.

Also, it is my contention that it would be a good idea to provide values
for no-serverAuth and no-clientAuth as well. This is an issue that arises
because implementors need to interoperate with non-PKIX usage spaces and/or
would like flexibility in certificate use.

Specifically, let's say I am a TLS web client vendor. For interoperability
reasons and backwards compatibility, I would like to allow servers to use
X.509v1 certs and/or non-PKIX compliant X.509v3 certs. Since I cannot deny
access because id-kp-serverAuth isn't there, I can't keep PKIX compatible
clients (who I suggest should have no-serverAuth OIDs) from masquerading as
SSL servers.

You could battle this by marking the extension critical, but this would
lead to an undesirable lack of flexibility: when we introduce secure
telephony, one wouldn't be able to use a TLS client certificate for secure
telephony because it presumably wouldn't have an
id-kp-watsonComeHereINeedYou OID (which hadn't been invented when the cert
was signed), even though the policy and distinguished name of the
certificate might allow it.

On the other hand, I suppose that it would be bad to have to list all the
various things a certificate can't do, as well: id-kp-serverAuth,
id-kp-breakTheLaw, id-kp-enableDoomsdayDevice, etc.

 - Tim

Tim Dierks - timd@consensus.com - www.consensus.com
     Software Haruspex - Consensus Development
  Developer of SSL Plus: SSL 3.0 Integration Suite

v2.23.0 | Report a Bug | By Email