diff options
| author | Micah Anderson <micah@riseup.net> | 2010-09-29 00:14:56 -0400 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-09-29 09:36:29 +0200 |
| commit | 96b97d92e4f6075a42c2d35dd4413b085b58a462 (patch) | |
| tree | db033be38b26bfb5d6d495eb16249f50c3bfad04 /doc | |
| parent | 80ae413ac745472798651d44b72cbfc52d04f21d (diff) | |
| download | gnutls-96b97d92e4f6075a42c2d35dd4413b085b58a462.tar.gz | |
Add new extended key usage ipsecIKE
According to RFC 4945 ยง 5.1.3.12 section title "ExtendedKeyUsage"[0] the
following extended key usage has been added:
... this document defines an ExtendedKeyUsage keyPurposeID that MAY be
used to limit a certificate's use:
id-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-kp 17 }
where id-kp is defined in RFC 3280 [5]. If a certificate is intended
to be used with both IKE and other applications, and one of the other
applications requires use of an EKU value, then such certificates
MUST contain either the keyPurposeID id-kp-ipsecIKE or
anyExtendedKeyUsage [5], as well as the keyPurposeID values
associated with the other applications. Similarly, if a CA issues
multiple otherwise-similar certificates for multiple applications
including IKE, and it is intended that the IKE certificate NOT be
used with another application, the IKE certificate MAY contain an EKU
extension listing a keyPurposeID of id-kp-ipsecIKE to discourage its
use with the other application. Recall, however, that EKU extensions
in certificates meant for use in IKE are NOT RECOMMENDED.
Conforming IKE implementations are not required to support EKU. If a
critical EKU extension appears in a certificate and EKU is not
supported by the implementation, then RFC 3280 requires that the
certificate be rejected. Implementations that do support EKU MUST
support the following logic for certificate validation:
o If no EKU extension, continue.
o If EKU present AND contains either id-kp-ipsecIKE or
anyExtendedKeyUsage, continue.
o Otherwise, reject cert.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/certtool.cfg | 3 | ||||
| -rw-r--r-- | doc/cha-programs.texi | 3 |
2 files changed, 6 insertions, 0 deletions
diff --git a/doc/certtool.cfg b/doc/certtool.cfg index 72597600ff..db6ba70672 100644 --- a/doc/certtool.cfg +++ b/doc/certtool.cfg @@ -88,6 +88,9 @@ signing_key # Whether this key will be used for time stamping. #time_stamping_key +# Whether this key will be used for IPsec IKE operations. +#ipsec_ike_key + #a space separated list of key purpose OIDs to be added #key_purpose_oids = "1.3.6.1.5.5.7.3.1" "1.2.3.4.5.6" diff --git a/doc/cha-programs.texi b/doc/cha-programs.texi index c1b940ca13..1a892ac08c 100644 --- a/doc/cha-programs.texi +++ b/doc/cha-programs.texi @@ -332,6 +332,9 @@ signing_key # Whether this key will be used for time stamping. #time_stamping_key + +# Whether this key will be used for IPsec IKE operations. +#ipsec_ike_key @end example @node Invoking gnutls-cli |