[pkix] RFC 5280 Extended Key Usage - explanation
Peter Miškovič <Peter.Miskovic@disig.sk> Mon, 13 November 2023 07:27 UTC
Return-Path: <Peter.Miskovic@disig.sk>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37567C14CE5D for <pkix@ietfa.amsl.com>; Sun, 12 Nov 2023 23:27:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=disig.sk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQs_U0lh1NCW for <pkix@ietfa.amsl.com>; Sun, 12 Nov 2023 23:27:47 -0800 (PST)
Received: from mx1.disig.sk (mx1.disig.sk [195.28.75.45]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6436C14CF1D for <pkix@ietf.org>; Sun, 12 Nov 2023 23:27:45 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mx1.disig.sk (Postfix) with ESMTP id 26B3C13A54BD for <pkix@ietf.org>; Mon, 13 Nov 2023 08:27:43 +0100 (CET)
Authentication-Results: mx1.disig.sk (amavisd-new); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=disig.sk
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disig.sk; h= mime-version:content-type:content-type:content-language :accept-language:message-id:date:date:subject:subject:from:from; s=202309; t=1699860462; x=1701674863; bh=utMsS0fHtf4YzUfk4Owgjf GyZyYfSU4USWALcdq56Tk=; b=U9BgfQ+Sgqk3un2eVLPbwHyx/6M7fNWGE/JCT4 EFjICrjiG5wi5KzMWNDC+J7pHm/xSasOylNN+ibckb13f+jmsqFdKXd6N7wd9w18 1AnSaJHdssv+8tPl6cT1Pd7Ncf/enubrL0dJ64e3PeRyTHxPWqCmwfo3GPUQkK04 /TgN0U/ZD5D0X9Fp1sQLpyjYiHUQB99xMwNpgcWXOZXTYiExyASx8mCCINqZvk8D O0G+VAjiK/N06tx7etdb/3dX7KTWX+UFVwCd543bioulG6apHQnIfPASgZtHOE+n HIRQfqyZSWZkEtTpo/ZoDdDP459ve+b31DU4VzSPdfXom0UQ==
X-Virus-Scanned: MX1 amavisd-new at mx1.disig.sk
Received: from mx1.disig.sk ([127.0.0.1]) by localhost (mx1.disig.sk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9lHnE7jRE9S7 for <pkix@ietf.org>; Mon, 13 Nov 2023 08:27:42 +0100 (CET)
From: Peter Miškovič <Peter.Miskovic@disig.sk>
To: "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: RFC 5280 Extended Key Usage - explanation
Thread-Index: AdoWAnjikrxKXJ41SWu5qcXZSUV0eQ==
Date: Mon, 13 Nov 2023 07:27:40 +0000
Message-ID: <1cc8b53823ff40d7bbfa126478461a43@disig.sk>
Accept-Language: sk-SK, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-esetresult: clean, is OK
x-esetid: 37303A299E56BE5D607560
Content-Type: multipart/alternative; boundary="_000_1cc8b53823ff40d7bbfa126478461a43disigsk_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/mzTdgXk1EGvNrxlzcMkivUoALfE>
X-Mailman-Approved-At: Mon, 20 Nov 2023 05:45:48 -0800
Subject: [pkix] RFC 5280 Extended Key Usage - explanation
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2023 07:30:50 -0000
Hello I want to ask you for an explanation of this part of RFC5280: 4.2.1.12. Extended use of the key "If a certificate contains both a key usage extension and an extended key usage extension, then both extensions MUST be processed independently and the certificate MUST only be used for a purpose consistent with both extensions." Means this that if I have the "digitalSignature" extension in the Key Usage certificate and the "id-kp-clientAuth" extension in the Extended Key Usage extension, I can use such certificate for TLS WWW client authentication only and not for digitally signing documents, for example PDF? Or it can be understood that I can use such certificate only for digitally signing or TLS WWW client authentication, but not for anything else, e.g. Email protection, code signing? What does "then both extensions MUST be processed independently" mean, if I should take into account their common connection as a result? Thank you in advance. Regards Peter Miskovic --------------------------------- Peter Miskovic CA Chief Operating Officer Disig, a.s. Zahradnicka 151, 821 08 Bratislava 2, Slovakia phone +421 2 208 50 150 cell phone +421 905 960 345 peter.miskovic@disig.sk www.disig.sk
- [pkix] RFC 5280 Extended Key Usage - explanation Peter Miškovič
- Re: [pkix] RFC 5280 Extended Key Usage - explanat… Russ Housley
- Re: [pkix] RFC 5280 Extended Key Usage - explanat… Tim Hollebeek
- Re: [pkix] RFC 5280 Extended Key Usage - explanat… Peter Gutmann
- Re: [pkix] RFC 5280 Extended Key Usage - explanat… Tim Hollebeek