[19:44:47] --- shima has become available
[19:48:35] --- stefans has become available
[19:54:21] --- dumdidum has become available
[19:54:26] --- dumdidum has left
[20:01:12] --- dumdidum has become available
[20:02:44] --- mrichardosn has become available
[20:07:39] <mrichardosn> "If told (by configuration) not to process the EKU, then don't process the EKU and accept the extension."
[20:09:24] <mrichardosn> hi.
[20:09:26] --- mrichardosn has left
[20:09:35] --- dumdidum has left: Disconnected
[20:09:40] --- mrichardson has become available
[20:12:24] <shima> Who does require the EKU extension as critical?
[20:12:43] <mrichardson> the issue is that if the spec doesn't say we can ignore the EKU, then the PKI library won't support it.
[20:13:07] <mrichardson> so, we'll be back in the state that IPsec vendors were before --- screwed into using PSK by their PKI vendors.
[20:20:40] <shima> I understand the issue, and to ignore it or not, we should consider the critical flag of EKU extension.
[20:21:46] <mrichardson> are you in the room?
[20:22:36] <shima> yes, but I cannot speak and listen English so well.
[20:34:36] <shima> I understood the room discussion is focusing on the critical flag now...
[20:36:36] <mrichardson> from thawte.com:
[20:36:38] <mrichardson> Key Usage This extension provides a crude way of defining broad types of usage for your private key. For example, you can mark the key for "signing only" use, or for "encrypting only". Most applications ignore this key usage in favour of the newer PKIX Extended Key Usage which is not in your control.
[20:41:38] <mrichardson> (18:41:19) sommerfeld: Users deploying IKE & IPsec with certificates have often had little (18:41:19) sommerfeld: control over the capabilities of CA's available to them. (18:41:19) sommerfeld: Implementations of this specification MAY include configuration knobs to (18:41:19) sommerfeld: disable checks required by this specification in order to permit use (18:41:19) sommerfeld: with inflexible and/or noncompliant CAs.
[20:42:33] --- dumdidum has become available
[20:43:10] --- dumdidum has left: Disconnected
[20:44:17] --- dumdidum has become available
[20:44:26] --- dumdidum has left
[20:44:40] <shima> thx.
[20:46:20] --- stefans has left: Disconnected
[21:04:46] --- shima has left
[21:05:45] --- mrichardson has left: Disconnected