FIA_X509_EXT.1/AuthSvr has several comments on it that are being reproduced here for tracking purposes.
- Re: extendedkeyusage field - "If IKE extended key usage is not prevalent and this breaks IKE implementations (even if not critical), omit this requirement."
- Re: certificates not asserting anyExtendedKeyUsage (OID 2.5.29.37.0) - "See above about IKE key usage potentially breaking implementations."
- Re: certificates requiring Client Authentication purpose - "Some rumbling at IETF that this is for “Web” authentication, only and shouldn’t apply for EAP-methods supporting TLS mutual authentication. Poll vendors, and follow IETF to maybe allow other purposes (or none?)."
- Re: certificates requiring Server Authentication purpose - "See IETF rumblings about 'web only' above."
- Re: certificates requiring ipsec-ike purpose - "Check to see if this is actually used in iPsec products (RFC indicates EKU is not recommended?)."
FIA_X509_EXT.1/AuthSvr has several comments on it that are being reproduced here for tracking purposes.