[Openswan Users] X.509 key usage
Gregor Bethlen
saphira at bethlen.de
Mon Jul 19 15:56:16 CEST 2004
Hello Andreas,
thank you for your response. Do you know if there are any plans to include a (extended)keyUsage-check in further *swan-implementations?
Bye,
Gregor
Andreas Steffen <andreas.steffen at strongsec.net> schrieb am 19.07.04 13:54:15:
>
> The keyUsage and extendedKeyUsage flags are not checked by *swan.
>
> An exception are the OCSP signing certificates introduced with
> the X.509 patch version >= 1.5, where the OCSPSigning flag must be
> mandatorily set in the extendedKeyUsage field.
>
> Intermediate CA certificates sent via PKCS#7-wrapped certificate payloads
> must have the CA basicContraints field set to TRUE in order to get
> accepted.
>
> Regards
>
> Andreas
>
> Gregor Bethlen wrote:
> > Hello list,
> >
> > I wondered if OpenS/WAN refers to the keyUsage and extendedKeyUsage-Fields in
> > X.509-certificate-extensions. I found nothing in readme.X509, and on an
> > archived mailing-list-entry from FreeS/WAN it said, just the DN and the
> > Public Key are used. (I hope, the signature gets proofed, though.) Since this
> > mail was from somewhat 2001, I wondered, if the keyUsage gets checked by
> > OpenS/WAN.
> >
> > Thanks for any answers,
> >
> > Gregor ____________________________________________________ Aufnehmen,
> > abschicken, nah sein - So einfach ist WEB.DE Video-Mail:
> > http://freemail.web.de/?mc=021200
>
> =======================================================================
> Andreas Steffen e-mail: andreas.steffen at strongsec.com
> strongSec GmbH home: http://www.strongsec.com
> Alter Zürichweg 20 phone: +41 1 730 80 64
> CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
> ==========================================[strong internet security]===
>
____________________________________________________
Aufnehmen, abschicken, nah sein - So einfach ist
WEB.DE Video-Mail: http://freemail.web.de/?mc=021200
More information about the Users
mailing list