> [[email protected] - Wed Sep 29 09:38:22 2010]: > > > Hi, > > The extended key usages id-kp-ipsecEndSystem, id-kp-ipsecTunnel and > id-kp-ipsecUser are obsoleted as per RFC 4945 ยง 5.1.3.12 section title > "ExtendedKeyUsage": > > ... Note that there were three IPsecrelated object identifiers in EKU > that were assigned in 1999. The semantics of these values were never > clearly defined. The use of these three EKU values in IKE/IPsec is > obsolete and explicitly deprecated by this specification. CAs SHOULD NOT > issue certificates for use in IKE with them. (For historical reference > only, those values were id-kp-ipsecEndSystem, id-kp-ipsecTunnel, and > id-kpipsecUser.) ... > > I believe that the attached patch removes these extendedkey usages to > comply with the SHOULD NOT assertion in RFC 4945. > > Note: A new extended key usage has been created for the Internet Key > Exchange (IKE) called id-kp-ipsecIKE has been added. A follow-up issue > will be created for that. >
The OID tables, among other things translate an OID into a human readable form. We do not normally delete obsolete OIDs because this creates binary compatibility issues. Also they can still be useful for diagnostic purposes: for example anything using the obsolete OIDs is clearly visible when the textual representation of the certificate is displayed. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
