I've seen both the terms Enhanced Key Usage and Extended Key Usage, and both were abbreviated as EKU. Do both refer to the same extension or property?
Asked
Active
Viewed 2.1k times
11
-
1related: [What is the difference between `extendedKeyUsage` and an application policy?](http://security.stackexchange.com/q/30766/3272) – Tobias Kienzler Feb 25 '13 at 14:03
1 Answers
18
The correct name for the standard extension is Extended Key Usage; see section 4.2.1.12 of RFC 5280. Its OID is 2.5.29.37.
Confusion comes from Microsoft documentation and software:
- They use "extended key usage" and "enhanced key usage" interchangeably.
- They defined a Microsoft-specific extension called "Application Policies" (OID 1.3.6.1.4.1.311.21.10) which contains the same information as Extended Key Usage, but with the ASN.1 syntax of "Certificate Policies" (another unrelated extension).
- Documentation repeatedly talks of storing extended/enhanced key usageS into the Application Policies extension. That is, they use the two expressions "extended key usage" and "enhanced key usage" to designate both the extension and the OID they can put in that extension, or in its clone extension "Application Policies".
Since Microsoft-specific extensions are Microsoft-specific, Microsoft's CA ("Certificate Services") usually includes both extensions (the standard one and the Microsoft one) in issued certificates.
Thomas Pornin
- 322,884
- 58
- 787
- 955