[Openswan Users] X.509 key usage

Gregor Bethlen saphira at bethlen.de
Tue Jul 20 09:53:02 CEST 2004


Andreas Steffen <andreas.steffen at strongsec.net> schrieb am 20.07.04 07:11:38:
> 
> [...]
> 
> As you can see the current recommendation is to ignore both the KU and EKU
> fields. But the discussion on that topic is still very lively within the
> Pki4ipsec working group. Probably the pendulum is going to swing back
> in favor of more rigid control on KU and EKU use.
> 

OK, ignoring KU and EKU is recommended by the IPSec-specification. But PKIX says, this fields should be processed (ok, SHOULD be). But in my opinion, they MUST be processed, if they are marked critical.

Perhaps the exact behavior of OpenS/WAN with KU/EKU could be added to the readme.X509. The whole question doesn't arise, if you have certificates and a CA just for VPN. But it could be interesting if you have one company-CA, which generates certificates for all purposes. At least a "KU/EKU aren't processed" could go to the readme ...

Thanks for your time,

Gregor
_______________________________________________________
WEB.DE Video-Mail - Sagen Sie mehr mit bewegten Bildern
Informationen unter: http://freemail.web.de/?mc=021199



More information about the Users mailing list