Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual page 525

usage extension identifies a key to be used for signing, the extended key usage
extension can further narrow down the usage of the key for signing OCSP
responses only or for signing Java applets only. (For information on key usage
extension, see "KeyUsageExt" on page 535.)
For general information about this extension, see "extKeyUsage" on page 727.
Table 11-22 PKIX usage definitions for the extended key usage extension
Usage
Server authentication
Client authentication
Code signing
Email
IPSec end system
IPSec tunnel
IPSec user
Timestamping
Note that Windows 2000
known as encrypted file system (EFS), using certificates that contain the Extended
Key Usage extension with the following two OIDs:
1.3.6.1.4.1.311.10.3.4
1.3.6.1.4.1.311.10.3.4.1
The EFS recovery certificate is used by a recovery agent when a user loses the
private key and the data encrypted with that key needs to be used. CMS supports
the above two OIDs and allows you to issue certificates containing extended key
usage extension with these OIDs.
Normal user certificates should be created with only the EFS OID, not the recovery
OID.
During installation, CMS automatically creates two instances of the extended key
usage extension policy, named
for an OCSP responder certificate, both are enabled by default.
OCSPSigningExt
Note that the
CODESigningExt
to issue object signing certificates with the correct extended key usage extension.
OID
1.3.6.1.5.5.7.3.1
1.3.6.1.5.5.7.3.2
1.3.6.1.5.5.7.3.3
1.3.6.1.5.5.7.3.4
1.3.6.1.5.5.7.3.5
1.3.6.1.5.5.7.3.6
1.3.6.1.5.5.7.3.7
1.3.6.1.5.5.7.3.8
TM
allows you to encrypt files on the hard disk, a feature
(this OID is for the EFS certificate)
(this OID is for the EFS recovery certificate)
CODESigningExt
policy rule must remain enabled if you want CMS
Extension-Specific Policy Module Reference
for object signing certificates and
Chapter 11 Policies 525