PKI4IPsec use of the ExtendedKeyUsage Certificate Extension - PowerPoint PPT Presentation

About This Presentation
Title:

PKI4IPsec use of the ExtendedKeyUsage Certificate Extension

Description:

o If told (by configuration) to ignore non-critical ExtendedKeyUsage ... Historically, the assigned key purpose OIDs have not been used ... – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 8
Provided by: RussHo4
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: PKI4IPsec use of the ExtendedKeyUsage Certificate Extension


1
PKI4IPsec use of the ExtendedKeyUsageCertificate
Extension
  • Russ Housley
  • 3 August 2005

2
Outline
  • Background
  • Issue Summary
  • Discussion

3
Key Purpose OIDs
  • -- extended key purpose identifiers
  • id-kp-serverAuth OBJECT IDENTIFIER
    id-kp 1
  • id-kp-clientAuth OBJECT IDENTIFIER
    id-kp 2
  • id-kp-codeSigning OBJECT IDENTIFIER
    id-kp 3
  • id-kp-emailProtection OBJECT IDENTIFIER
    id-kp 4
  • id-kp-ipsecEndSystem OBJECT IDENTIFIER
    id-kp 5
  • id-kp-ipsecTunnel OBJECT IDENTIFIER
    id-kp 6
  • id-kp-ipsecUser OBJECT IDENTIFIER
    id-kp 7
  • id-kp-timeStamping OBJECT IDENTIFIER
    id-kp 8
  • id-kp-OCSPSigning OBJECT IDENTIFIER
    id-kp 9
  • id-kp-dvcs OBJECT IDENTIFIER
    id-kp 10
  • id-kp-sbgpCertAAServerAuth OBJECT IDENTIFIER
    id-kp 11
  • id-kp-scvp-responder OBJECT IDENTIFIER
    id-kp 12
  • id-kp-eapOverPPP OBJECT IDENTIFIER
    id-kp 13
  • id-kp-eapOverLAN OBJECT IDENTIFIER
    id-kp 14
  • id-kp-scvpServer OBJECT IDENTIFIER
    id-kp 15
  • id-kp-scvpClient OBJECT IDENTIFIER
    id-kp 16

4
Certificate Profile Recommendation
  • The CA SHOULD NOT include the
    ExtendedKeyUsage (EKU) extension in certificates
    for use with IKE.

Current consensus is to deprecate use of the
previously assigned key purpose OIDs
5
Revised Client Processing
  • A summary of the logic flow for peer
    certificate validation regarding
  • the EKU extension follows
  • o If told (by configuration) to ignore
    non-critical ExtendedKeyUsage
  • (EKU), accept cert regardless of the
    presence or absence of
  • the extension.
  • o If no EKU extension, accept cert.
  • o If EKU extension present AND (either
    anyExtendedKeyUsage or id-kp-tbd-IKE-oid) is
    included, accept cert.
  • o Otherwise, reject cert.

6
The Open Issue
  • Want to support a certificate validation library
    that supports many different applications that
    are running on a single platform
  • EKU is helpful in this environment to ensure that
    a certificate is only used with the intended
    application

7
Discussion
  • Historically, the assigned key purpose OIDs have
    not been used
  • The assigned OIDs do not align with the way IPsec
    is deployed today
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "PKI4IPsec use of the ExtendedKeyUsage Certificate Extension" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!