kp-ipsec* has been formally deprecated by the IETF ipsec working
group, and thus if any implementation demands that they're there it's
a bug in that software.
-Kyle H
On Fri, Jul 17, 2009 at 12:46 AM, PMHager<h...@prima.de> wrote:
>
> Extract from obsoleted RFC2459:
>
> -- extended key purpose OIDs
> id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
> id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
> id-kp-ipsecEndSystem OBJECT IDENTIFIER ::= { id-kp 5 }
> id-kp-ipsecTunnel OBJECT IDENTIFIER ::= { id-kp 6 }
> id-kp-ipsecUser OBJECT IDENTIFIER ::= { id-kp 7 }
> ...
>
> So, id-kp-clientAuth (1.3.6.1.5.5.7.3.2) should be as extended key usage
> in TLS/SSL client certificates, and id-kp-ipsecUser (1.3.6.1.5.5.7.3.7)
> should be in IKE user certificates. As the id-kp-ipsec OIDs are removed
> in the current release [RFC5280], you will need to test whether your
> implementation does support them.
>
> Peter
>
> -----Original Message-----
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf
> Of Dr. Stephen Henson
> Sent: Thursday, July 16, 2009 6:24 PM
> To: openssl-users@openssl.org
> Subject: Re: One CA for many clients (a silly question)
>
> On Wed, Jul 15, 2009, stortoaranci wrote:
>
>>
>> Hi All,
>>
>> I just have a silly question on Openssl.
>>
>> I use a self-signed CA to sign several server/clients cert.
>>
>> For example I could use signed certs to implement an OpenVPN LAN and one
>> Wi-FI RADIUS auth for different clients.
>>
>> The question is: "how to be sure that a client allowed to use the wifi do
>> not use the same cert on the OpenVPN LAN"?
>>
>> In other words, how could I segratate clients using the same CA?
>>
>> thank you and sorry for my poor english.
>>
>
> I'm not certain if there are any specific extended key usage OIDs for those
> two purposes. If there are you can set thos in the appropriate end entity
> certificates but the software then has to check for their presence.
>
> Certificate policies is also usable for this. Again though the software has to
> check for an appropriate policy.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-us...@openssl.org
> Automated List Manager majord...@openssl.org
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-us...@openssl.org
> Automated List Manager majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
