Extended Key Usage Extension

Warwick Ford <wford@verisign.com> Thu, 10 April 1997 15:48 UTC

Received: by suntan.tandem.com (8.6.12/suntan5.970212) for ietf-pkix-relay id IAA06010; Thu, 10 Apr 1997 08:48:21 -0700
Received: from mailgate31 by suntan.tandem.com (8.6.12/suntan5.970212) for <ietf-pkix@tandem.com> id IAA05998; Thu, 10 Apr 1997 08:48:15 -0700
Received: by mailgate31 (SMI-8.6/SMI-SVR4) id IAA29457; Thu, 10 Apr 1997 08:47:56 -0700
Received: from sdn-ts-005mdrelrp11.dialsprint.net( by mailfep3-hme1 via smap (KC5.24) id Q_10.1.1.8/Q_4438_1_334d0b9e; Thu Apr 10 08:47:42 1997
Message-Id: <>
X-Sender: wford@pop.a001.sprintmail.com (Unverified)
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Thu, 10 Apr 1997 11:50:27 -0700
To: ietf-pkix@tandem.com
From: Warwick Ford <wford@verisign.com>
Subject: Extended Key Usage Extension
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

This message pertains to the discussion at the Memphis meeting regarding
extending the key usage extension to provide for OID-indicated key
purposes.  In light of valuable discussions with several individuals in
Memphis, including PKIX, TLS and IPSEC specialists, following is a specific
proposal to add a new extension field definition without changing the
existing keyUsage extension.  I shall also explore having ISO/IEC/ITU add
this to the standard, in response to an open defect report addressing
inadequacies in the key usage bit string.


12.2.2.x	Extended key usage field

This field indicates one or more purposes for which the certified public
key may be used, in addition to or in place of the basic purposes indicated
in the key usage extension field.  This field is defined as follows:

extKeyUsage EXTENSION ::= {
	IDENTIFIED BY id-ce-extKeyUsage }


Key purposes may be defined by any organization with a need. Object
identifiers used to identify key purposes shall be assigned in accordance
with ITU-T Rec. X.660 | ISO/IEC 9834-1.

This extension may, at the option of the certificate issuer, be either
critical or non-critical. 

If the extension is flagged critical, then the certificate shall be used
only for one of the purposes indicated. 

If the extension is flagged non-critical, then it indicates the intended
purpose or purposes of the key, and may be used in finding the correct
key/certificate of an entity that has multiple keys/certificates. It is an
advisory field and does not imply that usage of the key is restricted by
the certification authority to the purpose indicated. (Using applications
may nevertheless require that a particular purpose be indicated in order
for the certificate to be acceptable to that application.) 

If a certificate contains both a critical key usage field and a critical
extended key usage field, then both fields shall be processed independently
and the certificate shall only be used for a purpose consistent with both
fields.  If there is no purpose consistent with both fields, then the
certificate shall not be used for any purpose.

[The following purpose definitions are for inclusion in the IETF PKIX
Profile but not the ISO/IEC/ITU standard.]

The following key usage purposes are defined by this profile:

id-kp-serverAuth			OBJECT IDENTIFIER	::=	{id-kp 1}
-- TLS Web server authentication
-- Key usage bits that may be consistent: keyEncipherment or keyAgreement
id-kp-clientAuth			OBJECT IDENTIFIER	::=	{id-kp 2}
-- TLS Web client authentication
-- Key usage bits that may be consistent: digitalSignature
id-kp-codeSigning			OBJECT IDENTIFIER	::=	{id-kp 3}
-- Signing of downloadable executable code
-- Key usage bits that may be consistent: digitalSignature
id-kp-emailProtection		OBJECT IDENTIFIER	::=	{id-kp 4}
-- E-mail protection
-- Key usage bits that may be consistent: digitalSignature, nonRepudiation,
and/or (keyEncipherment or keyAgreement)
id-kp-ipsecEndSystem			OBJECT IDENTIFIER	::=	{id-kp 5}
-- IP security end system (host or router)
-- Key usage bits that may be consistent: digitalSignature and/or
(keyEncipherment or keyAgreement)
id-kp-ipsecTunnel			OBJECT IDENTIFIER	::=	{id-kp 6}
-- IP security tunnel termination
-- Key usage bits that may be consistent: digitalSignature and/or
(keyEncipherment or keyAgreement)
id-kp-ipsecUser			OBJECT IDENTIFIER	::=	{id-kp 7}
-- IP security user
-- Key usage bits that may be consistent: digitalSignature and/or
(keyEncipherment or keyAgreement)

Warwick Ford, VeriSign, Inc., One Alewife Center, Cambridge, MA 02140
   wford@verisign.com; Tel: (617)492 2816 x225; Fax: (617)661 0716