| rfc9809v2.txt | rfc9809.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) H. Brockhaus | Internet Engineering Task Force (IETF) H. Brockhaus | |||
| Request for Comments: 9809 Siemens | Request for Comments: 9809 Siemens | |||
| Category: Standards Track D. Goltzsche | Category: Standards Track D. Goltzsche | |||
| ISSN: 2070-1721 Siemens Mobility | ISSN: 2070-1721 Siemens Mobility | |||
| June 2025 | July 2025 | |||
| X.509 Certificate Extended Key Usage (EKU) for Configuration, Updates, | X.509 Certificate Extended Key Usage (EKU) for Configuration, Updates, | |||
| and Safety-Critical Communication | and Safety-Critical Communication | |||
| Abstract | Abstract | |||
| RFC 5280 defines the Extended Key Usage (EKU) extension and specifies | RFC 5280 defines the Extended Key Usage (EKU) extension and specifies | |||
| several extended key purpose identifiers (KeyPurposeIds) for use with | several extended key purpose identifiers (KeyPurposeIds) for use with | |||
| that extension in X.509 certificates. This document defines | that extension in X.509 certificates. This document defines | |||
| KeyPurposeIds for general-purpose and trust anchor configuration | KeyPurposeIds for general-purpose and trust anchor configuration | |||
| skipping to change at line 205 ¶ | skipping to change at line 205 ¶ | |||
| described in Section 6. | described in Section 6. | |||
| Systems or applications that verify the signature of a general- | Systems or applications that verify the signature of a general- | |||
| purpose configuration file or trust anchor configuration file, the | purpose configuration file or trust anchor configuration file, the | |||
| signature of a software or firmware update package, or the | signature of a software or firmware update package, or the | |||
| authentication of a communication peer for safety-critical | authentication of a communication peer for safety-critical | |||
| communication SHOULD require that corresponding KeyPurposeIds be | communication SHOULD require that corresponding KeyPurposeIds be | |||
| specified by the EKU extension. If the certificate requester knows | specified by the EKU extension. If the certificate requester knows | |||
| the certificate users are mandated to use these KeyPurposeIds, it | the certificate users are mandated to use these KeyPurposeIds, it | |||
| MUST enforce their inclusion. Additionally, such a certificate | MUST enforce their inclusion. Additionally, such a certificate | |||
| requester MUST ensure that the KeyUsage extension be set to | requester MUST ensure that the Key Usage extension be set to | |||
| digitalSignature for signature verification, to keyEncipherment for | digitalSignature for signature verification, to keyEncipherment for | |||
| public key encryption, and keyAgreement for key agreement. | public key encryption, and keyAgreement for key agreement. | |||
| 4. Including the Extended Key Purpose in Certificates | 4. Including the Extended Key Purpose in Certificates | |||
| [RFC5280] specifies the EKU X.509 certificate extension for use on | [RFC5280] specifies the EKU X.509 certificate extension for use on | |||
| end-entity certificates. The extension indicates one or more | end-entity certificates. The extension indicates one or more | |||
| purposes for which the certified public key is valid. The EKU | purposes for which the certified public key is valid. The EKU | |||
| extension can be used in conjunction with the Key Usage (KU) | extension can be used in conjunction with the Key Usage (KU) | |||
| extension, which indicates the set of basic cryptographic operations | extension, which indicates the set of basic cryptographic operations | |||
| End of changes. 2 change blocks. | ||||
| 2 lines changed or deleted | 2 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||