Add a SHOULD NOT in security considerations for using clientAuth/serv…

…erAuth and imUri key purposes, per suggestion by Paul Wouters.
rohanmahy · Dec 9, 2024 · 19d1edb · 19d1edb
1 parent 609a595
commit 19d1edb
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/draft-ietf-lamps-im-keyusage.md b/draft-ietf-lamps-im-keyusage.md
@@ -114,6 +114,10 @@ The Security Considerations of {{!RFC5280}} are applicable to this
 document.  This extended key purpose does not introduce new security
 risks but instead reduces existing security risks by providing means
 to identify if the certificate is generated to sign IM identity credentials.
+Issuers SHOULD NOT set the `id-kp-imUri` extended key purpose and an
+`id-kp-clientAuth` or `id-kp-serverAuth` extended key purpose, as that would
+defeat the improved specificity offered by having an `id-kp-imUri` extended key
+purpose.
 
 # IANA Considerations