[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[sr #107485] Add new extended key usage ipsecIKE
From: |
Micah Anderson |
Subject: |
[sr #107485] Add new extended key usage ipsecIKE |
Date: |
Wed, 29 Sep 2010 04:34:58 +0000 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.13) Gecko/20100916 Iceweasel/3.5.13 (like Firefox/3.5.13) |
URL:
<http://savannah.gnu.org/support/?107485>
Summary: Add new extended key usage ipsecIKE
Project: GnuTLS
Submitted by: micahanderson
Submitted on: Wed 29 Sep 2010 04:34:57 AM GMT
Category: None
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: None
_______________________________________________________
Details:
According to RFC 4945 ยง 5.1.3.12 section title "ExtendedKeyUsage"[0] the
following extended key usage has been added:
... this document defines an ExtendedKeyUsage keyPurposeID that MAY be
used to limit a certificate's use:
id-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-kp 17 }
where id-kp is defined in RFC 3280 [5]. If a certificate is intended
to be used with both IKE and other applications, and one of the other
applications requires use of an EKU value, then such certificates
MUST contain either the keyPurposeID id-kp-ipsecIKE or
anyExtendedKeyUsage [5], as well as the keyPurposeID values
associated with the other applications. Similarly, if a CA issues
multiple otherwise-similar certificates for multiple applications
including IKE, and it is intended that the IKE certificate NOT be
used with another application, the IKE certificate MAY contain an EKU
extension listing a keyPurposeID of id-kp-ipsecIKE to discourage its
use with the other application. Recall, however, that EKU extensions
in certificates meant for use in IKE are NOT RECOMMENDED.
Conforming IKE implementations are not required to support EKU. If a
critical EKU extension appears in a certificate and EKU is not
supported by the implementation, then RFC 3280 requires that the
certificate be rejected. Implementations that do support EKU MUST
support the following logic for certificate validation:
o If no EKU extension, continue.
o If EKU present AND contains either id-kp-ipsecIKE or
anyExtendedKeyUsage, continue.
o Otherwise, reject cert.
I believe that the attached patch adds the ipsecIKE extended key usage
flag to openssl. You can also pull my repository, with the patch from: git
clone git://labs.riseup.net/~micah/gnutls
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Wed 29 Sep 2010 04:34:57 AM GMT Name: gnutls_ipsec_ike.diff Size: 4kB
By: micahanderson
<http://savannah.gnu.org/support/download.php?file_id=21569>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107485>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [sr #107485] Add new extended key usage ipsecIKE,
Micah Anderson <=