On Tue, Oct 26, 2004, TAYLOR, TIM (CONTRACTOR) wrote:

> >Well this could have been controlled in the certificates themselves by
> >including and extended key usage extension to allow client authentication or
> >email protection. Then a savvy browser wouldn't present the wrong certificate
> >type.
> 
> I have noticed that the cert I don't want to show up has the following extended key 
> usage:
> Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
> Secure Email (1.3.6.1.5.5.7.3.4)
> Client Authentication (1.3.6.1.5.5.7.3.2)
> 
> While the one I want to show up has no extended key usage.
> 
> How does/can SSL/TLS use OID 2 5 29 37 (or any other extention for that matter)? 
> 
> Or were you implying a browser customization?
> 
> Netscape and IE present them both, I thought, because they are both of the RSA-sign 
> type.
> 

No EKU implies the certificate can be used for any purpose which is consistent
with other extensions.

If EKU is present and the browser recognizes it I'd expect a browser to only
allow certificates which include Client Authentication. 

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to