[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: -ipsec-pki-req-03 - EKU's

Paul Hoffman wrote:
> At 12:24 PM 10/27/99 +0200, Rodney Thayer wrote:
> >Regarding the EKU discussion...
> >
> >I originally put in two kinds of EKU's -- one for end systems and
> >one for intermediate systems. It is my opinion that you want to be
> >able to label a certificate with this information:
> >
> >   -- it's for IPsec
> >   -- it's for an end system (only this machine)
> >   -- it's for a gateway ("intermediate") system (it can do IPsec
> >      for packets it forwards
> Question to the group: is there a value for both the second and third
> requirements? I have heard arguments both ways.


Are you asking whether there is value in making the second and
third mandatory in the spec?

No surprise, but my vote is that all of them might have value in
certain circumstances, but that none should be mandatory. 

> I think we need to require it in the profile so that there is a definitive
> way for an IKE system to say "this cert can be used for IKE". Without such
> a requirement, the IKE system has to make too many guesses that can lead to
> lack of interoperability.

We seem to be interoperating fine right now without EKU.  ;)

> I will play PKIX lawyer for a moment (even though I hear guffaws from the
> peanut gallery). We can put this either in EKU or policy. There are many
> folks in the PKIX WG who have argued (I think persuasively) that key usage
> is a type of policy. Having said that, there is no advantage of one over
> the other, so I think that we should leave whatever we do in EKU.

Leaving it in the policy means less stuff to process in the certificate.
In some environments that might be an advantage.

> I agree.
> --Paul Hoffman, Director
> --VPN Consortium

briank@cs.stanford.edu      (play)
briank@network-alchemy.com  (work)