On Sep 22, 2010, at 9:44 AM, Paul Hoffman wrote: > At 10:21 AM -0600 9/22/10, Peter Saint-Andre wrote: >> On 9/14/10 12:51 AM, Stefan Santesson wrote: >>> General: >>> I would consider stating that server certificates according to this profile >>> either MUST or SHOULD have the serverAuth EKU set since it is allways >>> related to the use of TSL and server authentication. At least it MUST be set >>> when allowing checks of the CN-ID (see 2.3 below). >> >> [..snip..] >
> What possible advantage is there to making certificates that do not have this > flag set be excluded from the practices you are defining? That is, if a TLS > client gets a certificate from a TLS server that the TLS server says is its > authentication certificate, why should the client care whether or not that > flag is set? That flag is an assertion from the CA, not from the server who > is authenticating. Does this point need discussion? Without checking, I suspect that 5280 says you obey the EKU, period. OTOH I think Paul raises a valid point. OTOH (again) one could argue that the EKU provides a way to prevent a stolen cert/key issued to the machine for a different function from being repurposed to support a fake server. (I'm not convinced this is significant, but it's something.) Absent discussion and consensus, I vote for whatever 5280 says, which I suppose is what the current silence on the topic equates to. ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. henry.b.h...@jpl.nasa.gov, or hbh...@oxy.edu _______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf