Netscape MANAGEMENT SYSTEM 6.01 - PLUG-IN Manual page 345

Criticality
If this extension is marked critical, the certificate must be used for one of the
indicated purposes only. If it is not marked critical, it is treated as an advisory field
that may be used to identify keys but does not restrict the use of the certificate to
the indicated purposes.
Discussion
The Extended Key Usage extension indicates one or more purposes for which the
certified public key may be used. These purposes may be in addition to or in place
of the basic purposes indicated in the key usage extension.
The Extended Key Usage extension must include OCSP Signing in an OCSP
responder's certificate (unless the CA signing key that signed the certificates
validated by the responder is also the OCSP signing key). The OCSP responder's
certificate must be issued directly by the CA that signs certificates the responder
will validate.
The Key Usage, Extended Key Usage, and Basic Constraints extensions act together
to define the purposes for which the certificate is intended to be used. Applications
can use these extensions to disallow the use of a certificate in inappropriate
contexts.
Table C-2 lists the uses defined by PKIX for this extension, and Table C-3 lists uses
privately defined by Microsoft or Netscape.
PKIX Extended Key Usage Extension Uses
Table C-2
Use
Server authentication
Client authentication
Code signing
Email
Timestamping
OCSP Signing
* OCSP Signing is not defined in PKIX Part 1, but in RFC 2560, "X.509 Internet
Public Key Infrastructure Online Certificate Status Protocol - OCSP."
OID
1.3.6.1.5.5.7.3.1
1.3.6.1.5.5.7.3.2
1.3.6.1.5.5.7.3.3
1.3.6.1.5.5.7.3.4
1.3.6.1.5.5.7.3.8
1.3.6.1.5.5.7.3.9*
Appendix C
Standard X.509 v3 Certificate Extensions
Certificate and CRL Extensions 345