Re: Other quetion..

Sat, 18 Dec 1999 07:12:57 -0800 

Dr Stephen Henson wrote:
> 
> Michael Str�der wrote:
> >
> > http://www.microsoft.com/security/tech/certificates/structuring.asp
> 
> I wouldn't recommend that document:
> [..]
> Following the advice here caused me lots of trouble.

Can you give some details about the troubles you had?

> Over a year after
> its date later I duly followed the advice about critical extensions only
> to find the version of Outlook at the time rejected them.

I set my keyUsage and extendedKeyUsage attributes according to the
document I mentioned above but did not mark any attribute critical. The
descriptions of keyUsage and extended KeyUsage seemed to make sense to
me. Will this cause trouble to cert users?

Examples:

CA certs:
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
extendedKeyUsage = 1.3.6.1.5.5.7.3.4
(I know that basicConstraints = CA:true should be marked critical but
according to doc/openssl.txt this might cause trouble with older
applications...)

Certs only used for e-mail (encryption and signing):
keyUsage = keyEncipherment, dataEncipherment,
           digitalSignature, nonRepudiation
nsCertType = email

Certs only used for client authentication:
keyUsage = digitalSignature, nonRepudiation, keyAgreement
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
nsCertType       = client

Server certs:
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, msSGC,nsSGC
nsCertType       = server
(msSGC,nsSGC only makes sense if the corresponding CA certs are tagged
in a special way for enabling Server Gated Cryptography / Global Server
ID)

Object signing certs:
keyUsage = keyEncipherment, dataEncipherment, digitalSignature, 
           nonRepudiation, keyAgreement
extendedKeyUsage = 1.3.6.1.5.5.7.3.3
nsCertType       = objsign

Will I have problems with these X.509v3 attributes? Any suggestions for
improving it? Maybe it's worth discussing a good example configuration
here.

Ciao, Michael.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to