From RFC3280 section "4.2.1.13 Extended Key Usage"
If a certificate contains both a key usage extension and an extended key usage extension, then both extensions MUST be processed independently and the certificate MUST only be used for a purpose consistent with both extensions. If there is no purpose consistent with both extensions, then the certificate MUST NOT be used for any purpose.
Seems to me the purpose "smime-encryption" is not consistent with the Extended Key Usage extension "TLS Web Client Authentication" irregardless of the contents of the other (Key Usage) extension.
Are you trying to push a definition that is in conflict with RFC3280, or am I just more confused than usual?
In particular, to support dual-certificate systems which use one certificate for authentication and a different certificate for encryption, and which rely on these bit settings to make using the wrong certificate (in both cases) impossible, I would strongly argue against ANY reading in which a certificate issued for authentication is considered valid for encryption. Consider the issue of private key escrow...
Rich Salz wrote:
> The extended key usage extension places additional restrictions on the certificate uses. If this extension is present (whether critical or not) the key can only be used for the purposes specified.
No it doesn't. Or rather, not quite. If you want a key to be used for *only* the purposes defined in the eKU list, then you must have an empty keyUsage attribute. keyUsage is a special bitmap of "well known" uses. The spec authors could have defined keyUsage as a list of OID's and defined certain well-known OID's with the current semantics, but they didn't.
Yes, it is confusing that you have to read it as "you may use this certificate for only the purposes listed in the keyUsage field (but assume "all bits on" if not present), *or only* for the purposes listed in the extendedKeyUsage field (but assume "all OIDs allowed" if not present).
Read the sentence above carefully. :) /r$
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
