On Tue, Oct 26, 2004, TAYLOR, TIM (CONTRACTOR) wrote: > >Well this could have been controlled in the certificates themselves by > >including and extended key usage extension to allow client authentication or > >email protection. Then a savvy browser wouldn't present the wrong certificate > >type. > > I have noticed that the cert I don't want to show up has the following extended key > usage: > Smart Card Logon (1.3.6.1.4.1.311.20.2.2) > Secure Email (1.3.6.1.5.5.7.3.4) > Client Authentication (1.3.6.1.5.5.7.3.2) > > While the one I want to show up has no extended key usage. > > How does/can SSL/TLS use OID 2 5 29 37 (or any other extention for that matter)? > > Or were you implying a browser customization? > > Netscape and IE present them both, I thought, because they are both of the RSA-sign > type. >
No EKU implies the certificate can be used for any purpose which is consistent with other extensions. If EKU is present and the browser recognizes it I'd expect a browser to only allow certificates which include Client Authentication. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]