[Openswan Users] X.509 key usage

Andreas Steffen andreas.steffen at strongsec.net
Tue Jul 20 08:11:19 CEST 2004


<draft-ietf-pki4ipsec-ikecert-profile-01.txt> is the latest update of

  "The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX"

...

4.1.3.2. KeyUsage

KeyUsage is not defined in the context of IPsec. Implementations SHOULD
accept certificates with any set of KeyUsage bits asserted, as certificates
may be used for multiple applications.

...

4.1.3.12. ExtendedKeyUsage

ExtendedKeyUsage is not defined in the context of IKE/IPsec. Implementations
SHOULD accept certificates with any set of ExtendedKeyUsage usages asserted.
Implementations MUST NOT generate this extension in certificates which are
being used for IPsec.

Note that a previous proposal for the use of three ExtendedKeyUsage values
is obsolete and explicitly deprecated by this specification. For historical
reference, those values were id-kp-ipsecEndSystem, id-kp-ipsecTunnel,
and id-kp-ipsecUser.

...

As you can see the current recommendation is to ignore both the KU and EKU
fields. But the discussion on that topic is still very lively within the
Pki4ipsec working group. Probably the pendulum is going to swing back
in favor of more rigid control on KU and EKU use.

Regards

Andreas

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===


More information about the Users mailing list