Extended Key Usage Extension
Warwick Ford <wford@verisign.com> Thu, 10 April 1997 15:48 UTC
Received: by suntan.tandem.com (8.6.12/suntan5.970212) for ietf-pkix-relay id IAA06010; Thu, 10 Apr 1997 08:48:21 -0700
Received: from mailgate31 by suntan.tandem.com (8.6.12/suntan5.970212) for <ietf-pkix@tandem.com> id IAA05998; Thu, 10 Apr 1997 08:48:15 -0700
Received: by mailgate31 (SMI-8.6/SMI-SVR4) id IAA29457; Thu, 10 Apr 1997 08:47:56 -0700
Received: from sdn-ts-005mdrelrp11.dialsprint.net(206.133.11.94) by mailfep3-hme1 via smap (KC5.24) id Q_10.1.1.8/Q_4438_1_334d0b9e; Thu Apr 10 08:47:42 1997
Message-Id: <3.0.32.19970410115024.0073b384@pop.a001.sprintmail.com>
X-Sender: wford@pop.a001.sprintmail.com (Unverified)
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Thu, 10 Apr 1997 11:50:27 -0700
To: ietf-pkix@tandem.com
From: Warwick Ford <wford@verisign.com>
Subject: Extended Key Usage Extension
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
This message pertains to the discussion at the Memphis meeting regarding extending the key usage extension to provide for OID-indicated key purposes. In light of valuable discussions with several individuals in Memphis, including PKIX, TLS and IPSEC specialists, following is a specific proposal to add a new extension field definition without changing the existing keyUsage extension. I shall also explore having ISO/IEC/ITU add this to the standard, in response to an open defect report addressing inadequacies in the key usage bit string. Warwick --------------------------- 12.2.2.x Extended key usage field This field indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. This field is defined as follows: extKeyUsage EXTENSION ::= { SYNTAX SEQUENCE SIZE (1..MAX) OF KeyPurposeId IDENTIFIED BY id-ce-extKeyUsage } KeyPurposeId ::= OBJECT IDENTIFIER Key purposes may be defined by any organization with a need. Object identifiers used to identify key purposes shall be assigned in accordance with ITU-T Rec. X.660 | ISO/IEC 9834-1. This extension may, at the option of the certificate issuer, be either critical or non-critical. If the extension is flagged critical, then the certificate shall be used only for one of the purposes indicated. If the extension is flagged non-critical, then it indicates the intended purpose or purposes of the key, and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. It is an advisory field and does not imply that usage of the key is restricted by the certification authority to the purpose indicated. (Using applications may nevertheless require that a particular purpose be indicated in order for the certificate to be acceptable to that application.) If a certificate contains both a critical key usage field and a critical extended key usage field, then both fields shall be processed independently and the certificate shall only be used for a purpose consistent with both fields. If there is no purpose consistent with both fields, then the certificate shall not be used for any purpose. [The following purpose definitions are for inclusion in the IETF PKIX Profile but not the ISO/IEC/ITU standard.] The following key usage purposes are defined by this profile: id-kp-serverAuth OBJECT IDENTIFIER ::= {id-kp 1} -- TLS Web server authentication -- Key usage bits that may be consistent: keyEncipherment or keyAgreement id-kp-clientAuth OBJECT IDENTIFIER ::= {id-kp 2} -- TLS Web client authentication -- Key usage bits that may be consistent: digitalSignature id-kp-codeSigning OBJECT IDENTIFIER ::= {id-kp 3} -- Signing of downloadable executable code -- Key usage bits that may be consistent: digitalSignature id-kp-emailProtection OBJECT IDENTIFIER ::= {id-kp 4} -- E-mail protection -- Key usage bits that may be consistent: digitalSignature, nonRepudiation, and/or (keyEncipherment or keyAgreement) id-kp-ipsecEndSystem OBJECT IDENTIFIER ::= {id-kp 5} -- IP security end system (host or router) -- Key usage bits that may be consistent: digitalSignature and/or (keyEncipherment or keyAgreement) id-kp-ipsecTunnel OBJECT IDENTIFIER ::= {id-kp 6} -- IP security tunnel termination -- Key usage bits that may be consistent: digitalSignature and/or (keyEncipherment or keyAgreement) id-kp-ipsecUser OBJECT IDENTIFIER ::= {id-kp 7} -- IP security user -- Key usage bits that may be consistent: digitalSignature and/or (keyEncipherment or keyAgreement) --------------------------------------------------------------------- Warwick Ford, VeriSign, Inc., One Alewife Center, Cambridge, MA 02140 wford@verisign.com; Tel: (617)492 2816 x225; Fax: (617)661 0716 ---------------------------------------------------------------------
- Re: Extended Key Usage Extension Warwick Ford
- Re: Extended Key Usage Extension Housley, Russ
- Re: Extended Key Usage Extension Tim Dierks
- Extended Key Usage Extension Warwick Ford
- Re: Extended Key Usage Extension mmyers