Messages - 4.2 Key usage should refrence RFC2459
keyEncipherment must be X.509 key usage bit.
I think that it should be described with more word and referred to RFC.
Comments (7)
-
-
-
assigned issue to
- changed status to open
For
#502-504, we need more details on the change(s) that Hideki is proposing -
assigned issue to
-
I think what Hideki is proposing is to add some text to reference rfc 2459.
So, currently, it is:
The key usage of the respective keys MUST include encryption. In particular, if the key found through x5u is used, the key usage MUST include keyEncipherment.
Instead, he probably is proposing something like:
The key usage of the respective keys MUST include encryption. In particular, if the key found through x5u is used, the key usage MUST include keyEncipherment as defined in section 4.2.1.3 of RFC2459.
-
- changed title to Messages - 4.2 Key usage should refrence RFC2459
-
reporter Sorry for making you worry things because of my short words. I'm not quite sure if we should describe X.509 detail things in Messages or JW*. If we want to describe in Messages, I think we should refer terms to proper specification as Nat wrote.
-
I am unconvinced that we should be mentioning X.509 extension processing at all.
If we adhere strictly to RFC2459 processing PKI bridges are precluded as it only supports a strict hierarchy.
If a deployment is strictly processing x.509 and the certificate doesn't contain keyEncipherment as a keyUsage then it won't encrypt to it.
This is really a recommendation to the Authorization server about publishing certificates.
I could go with something like.
The Certificate SHOULD be valid for its intended use as defined by RFC2459.
John
-
- changed status to resolved
- Log in to comment
X.509 processing is a optional deployment choice.
X509 key usage extensions for signing and encryption are almost never used. Usage is almost always described at a higher level like SAML meta-data.
In our case the usage is specified by providing specific raw keys or certificates for each use.
My recommendation is to not recomend certificate validation processing as that would preclude self signed certificates and cause more interoperability problems with expiration dates.
For Connect certificates are just containers for keys, unless a deployment creates it's own profile for some different trust model.
I don't quite know what we would change.
John