1 / 7

PKI4IPsec use of the ExtendedKeyUsage Certificate Extension

PKI4IPsec use of the ExtendedKeyUsage Certificate Extension. Russ Housley 3 August 2005. Outline. Background Issue Summary Discussion. Key Purpose OIDs. -- extended key purpose identifiers id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }

crwys
Download Presentation

PKI4IPsec use of the ExtendedKeyUsage Certificate Extension

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PKI4IPsec use of the ExtendedKeyUsageCertificate Extension Russ Housley 3 August 2005

  2. Outline • Background • Issue Summary • Discussion

  3. Key Purpose OIDs -- extended key purpose identifiers id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } id-kp-ipsecEndSystem OBJECT IDENTIFIER ::= { id-kp 5 } id-kp-ipsecTunnel OBJECT IDENTIFIER ::= { id-kp 6 } id-kp-ipsecUser OBJECT IDENTIFIER ::= { id-kp 7 } id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } id-kp-dvcs OBJECT IDENTIFIER ::= { id-kp 10 } id-kp-sbgpCertAAServerAuth OBJECT IDENTIFIER ::= { id-kp 11 } id-kp-scvp-responder OBJECT IDENTIFIER ::= { id-kp 12 } id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 } id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 } id-kp-scvpServer OBJECT IDENTIFIER ::= { id-kp 15 } id-kp-scvpClient OBJECT IDENTIFIER ::= { id-kp 16 }

  4. Certificate Profile Recommendation The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension in certificates for use with IKE. Current consensus is to deprecate use of the previously assigned key purpose OIDs…

  5. Revised Client Processing A summary of the logic flow for peer certificate validation regarding the EKU extension follows: o If told (by configuration) to ignore non-critical ExtendedKeyUsage (EKU), accept cert regardless of the presence or absence of the extension. o If no EKU extension, accept cert. o If EKU extension present AND (either anyExtendedKeyUsage or id-kp-tbd-IKE-oid) is included, accept cert. o Otherwise, reject cert.

  6. The Open Issue • Want to support a certificate validation library that supports many different applications that are running on a single platform • EKU is helpful in this environment to ensure that a certificate is only used with the intended application

  7. Discussion • Historically, the assigned key purpose OIDs have not been used • The assigned OIDs do not align with the way IPsec is deployed today

More Related