70 likes | 176 Views
PKI4IPsec use of the ExtendedKeyUsage Certificate Extension. Russ Housley 3 August 2005. Outline. Background Issue Summary Discussion. Key Purpose OIDs. -- extended key purpose identifiers id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
E N D
PKI4IPsec use of the ExtendedKeyUsageCertificate Extension Russ Housley 3 August 2005
Outline • Background • Issue Summary • Discussion
Key Purpose OIDs -- extended key purpose identifiers id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } id-kp-ipsecEndSystem OBJECT IDENTIFIER ::= { id-kp 5 } id-kp-ipsecTunnel OBJECT IDENTIFIER ::= { id-kp 6 } id-kp-ipsecUser OBJECT IDENTIFIER ::= { id-kp 7 } id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } id-kp-dvcs OBJECT IDENTIFIER ::= { id-kp 10 } id-kp-sbgpCertAAServerAuth OBJECT IDENTIFIER ::= { id-kp 11 } id-kp-scvp-responder OBJECT IDENTIFIER ::= { id-kp 12 } id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 } id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 } id-kp-scvpServer OBJECT IDENTIFIER ::= { id-kp 15 } id-kp-scvpClient OBJECT IDENTIFIER ::= { id-kp 16 }
Certificate Profile Recommendation The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension in certificates for use with IKE. Current consensus is to deprecate use of the previously assigned key purpose OIDs…
Revised Client Processing A summary of the logic flow for peer certificate validation regarding the EKU extension follows: o If told (by configuration) to ignore non-critical ExtendedKeyUsage (EKU), accept cert regardless of the presence or absence of the extension. o If no EKU extension, accept cert. o If EKU extension present AND (either anyExtendedKeyUsage or id-kp-tbd-IKE-oid) is included, accept cert. o Otherwise, reject cert.
The Open Issue • Want to support a certificate validation library that supports many different applications that are running on a single platform • EKU is helpful in this environment to ensure that a certificate is only used with the intended application
Discussion • Historically, the assigned key purpose OIDs have not been used • The assigned OIDs do not align with the way IPsec is deployed today