search

anima-wg / constrained-voucher

This is a repo for the IETF Internet Draft about constrained vouchers in CBOR
2 stars 4 forks source link

EKU must contain web-server, web-client and cmcRA #146

Closed mcr closed 3 years ago

mcr commented 3 years ago 
> When debugging another issue, I found that my test Registrar had stopped                      
> being able to connect to my MASA.  Some upgrades to Openssl, Apache meant                     
> that one of those two decided the Extended Key Usage for the client                           
> certificates had better be right.                                                             

> What I found:                                                                                 
> 1) If there is no EKU, then it's all okay.                                                    
> 2) If there is an EKU, and it contains only cmcRA, then it is rejected.                       
> 3) If I add "clientAuth" EKU, then it works.                                                  

> Consequence for a Registrar server, that MUST have id-kp-cmcRA set, is                         
> that it also needs id-kp-serverAuth set in the EKU.  Older DTLS 1.2                            
> stacks for example may not check EKU yet in such a way (e.g. an older                          
> Scandium I used did not check) but I expect never 1.2/1.3 stacks to                            
> check EKU.
EskoDijk commented 3 years ago

closing, the text on EKU is now included (verified)