- Extended key usage

Submitted by dyp at perchine.com from host ( on Mon Nov 13 13:31:58 MET 2000 using a WWW entry form.

OID value:

OID description:
This field indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. This field is defined as follows:

id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}

ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId

Key purposes may be defined by any organization with a need. Object identifiers used to identify key purposes shall be assigned in accordance with IANA or ITU-T Rec. X.660 | ISO/IEC/ITU 9834-1. This extension may, at the option of the certificate issuer, be either critical or non-critical.

If the extension is flagged critical, then the certificate MUST be used only for one of the purposes indicated.

If the extension is flagged non-critical, then it indicates the intended purpose or purposes of the key, and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. It is an advisory field and does not imply that usage of the key is restricted by the certification authority to the purpose indicated. Certificate using applications may nevertheless require that a particular purpose be indicated in order for the certificate to be acceptable to that application.

If a certificate contains both a critical key usage field and a critical extended key usage field, then both fields MUST be processed independently and the certificate MUST only be used for a purpose consistent with both fields. If there is no purpose consistent with both fields, then the certificate MUST NOT be used for any purpose.

The following key usage purposes are defined by this profile:

id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }

id-kp-serverAuth OBJECT IDENTIFIER ::= {id-kp 1} -- TLS Web server authentication -- Key usage bits that may be consistent: digitalSignature, -- keyEncipherment or keyAgreement -- id-kp-clientAuth OBJECT IDENTIFIER ::= {id-kp 2} -- TLS Web client authentication -- Key usage bits that may be consistent: digitalSignature and/or -- keyAgreement -- id-kp-codeSigning OBJECT IDENTIFIER ::= {id-kp 3} -- Signing of downloadable executable code -- Key usage bits that may be consistent: digitalSignature -- id-kp-emailProtection OBJECT IDENTIFIER ::= {id-kp 4} -- E-mail protection -- Key usage bits that may be consistent: digitalSignature, -- nonRepudiation, and/or (keyEncipherment -- or keyAgreement) -- id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } -- Binding the hash of an object to a time from an agreed-upon time -- source. Key usage bits that may be consistent: digitalSignature, -- nonRepudiation

URL for further info: ftp://ftp.isi.edu/in-notes/rfc2459.txt

See also the OID Repository website reference for

Superior references

Subsidiary references (single level)

Search for text in all OIDs starting with

Go to the top node if you need to search all entries.
Tell me about OIDs you know about
Incoming OIDs that have not been proofread yet
Entered: Mon Nov 13 13:31:58 MET 2000 (not changed manually)