On Wed, Sep 15, 2004, Pavel wrote: > Accorind to RFC 2459: > If the Extended key usage field is flagged critical, the certificate MUST be used > only for one of the purposes indicated. > If the extension is flagged non-critical, then it indicates the intended purpose or > purposes of the key, and may be used in finding the correct key/certificate of an > entity that has multiple keys/certificates. It is an advisory field and does not > imply that usage of the key is restricted by the certification authority to the > purpose indicated. Certificate using applications may nevertheless require that a > particular purpose be indicated in order for the > certificate to be acceptable to that application.
There are various security reasons why that old definition was inadvisable at the best of times. One piece of software (which could *not* be ignored by CAs) rejected any certificate with a critical extension no matter what it was. This has resulted in many CAs being forced to make extensions non-critical for interoperability reasons. There was also an old definition which said "if an extension is non critical its only advisory" to which I'd argue that's not a very good idea for basicConstraints because then anyone could be a CA. RFC3280 which obsoletes RFC2459 says about extended key usage (section 4.2.13): >If the extension is present, then the certificate MUST only be used for one >of the purposes indicated. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
