You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Depending on the SFR and App notes are inconsistent regarding whether EKUs are required, recommended, or only required in some cases. SSH
There is not an appropriate EKU for SSH. IKE
While the id-kp-ipsecIKE, RFC 4945 says, "Conforming IKE implementations are not required to support EKU" and "that EKU extensions in certificates meant for use in IKE are NOT RECOMMENDED."
Generall/Broad EKU mentions
FDP_CER_EXT.1.1/OLTleaf Application Note says, "the extendedKeyUsage extension is claimed in FDP_CER_EXT.1.2 to distinguish which functions are supported by the certificate." "is claimed" makes this sound like it is mandatory.
FDP_CER_EXT.1.2/OLTleaf Application Note says, "It is recommended that the extendedKeyUsage is claimed..."
FIA_X509_EXT.1.2 Application Note says, "The extendedKeyUsage is expected for many functions. It is claimed if required by the supported functions"
FIA_X509_EXT.1.5 Application Note says, "The ST author claims all explicit EKU values for applications (Code integrity, OCSP, TLS, DTLS, SMIME), claimed in FIA_X509_EXT.2.1. It is preferred, but not required that each application using certificates indicated in FIA_X509_EXT.2.1 is associated with an EKU." SSH and IPsec are both options in FIA_X509_EXT.2.1.
Proposed Resolution
Update FDP_CER_EXT.1.1/OLTleaf so it provides nuance about when the EKU is required.
Clarify which explicit EKU values for applications must be claimed (this applies to "EKU values for applications" and "recommended"). It appears this should not reference FIA_X509_EXT.2.1. In addition to Code integrity, OCSP, TLS, DTLS, and SMIME; id-kp-cmpRA and id-kp-cmcRA also appear to be required in some cases.
The text was updated successfully, but these errors were encountered:
FDP_CER_EXT.1.1/OLTleaf app note updated to make it clear that this only applies when multiple functions require explicit EKU values, not that each function necessarily requires an EKU value
FDP_CER_EXT.1.2/OLTleaf app note updated same as above
FIA_X509_EXT.1.2 no change - this is still an accurate statement
Depending on the SFR and App notes are inconsistent regarding whether EKUs are required, recommended, or only required in some cases.
SSH
There is not an appropriate EKU for SSH.
IKE
While the id-kp-ipsecIKE, RFC 4945 says, "Conforming IKE implementations are not required to support EKU" and "that EKU extensions in certificates meant for use in IKE are NOT RECOMMENDED."
Generall/Broad EKU mentions
Proposed Resolution
Update FDP_CER_EXT.1.1/OLTleaf so it provides nuance about when the EKU is required.
Clarify which explicit EKU values for applications must be claimed (this applies to "EKU values for applications" and "recommended"). It appears this should not reference FIA_X509_EXT.2.1. In addition to Code integrity, OCSP, TLS, DTLS, and SMIME; id-kp-cmpRA and id-kp-cmcRA also appear to be required in some cases.
The text was updated successfully, but these errors were encountered: