From: Theo Buehler Subject: Re: rpki-client: move key usage to x509_get_purpose() To: tech@openbsd.org Date: Mon, 10 Jun 2024 13:06:41 +0200 > Diff is OK claudio@. I wonder if the name of the function is slowly > outdated since x509_get_purpose() does not a lot more then just selecting > the purpose. That's a different bikeshed and for a different diff. I'm happy to change a different name for the function but I kind of struggle to come up with a better one. Having Purpose in the name doesn't seem that bad. Maybe x509_validate_purpose() would be better? I don't really want to use x509_check_purpose() since that will be very confusing for me due to X509_check_purpose(3). I'm inclined to see the basic constraints, and the (extended) key usage, and also cert policy (which isn't handled here yet) as defining the certificate's purpose. The (extended) key usage extensions are by definition in RFC 5280: KU: The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. EKU: This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. Now granted, we have libcrypto look at subject, issuer, SKI and AKI, but it's on the nature of the complex tangle that is X.509. Also, purpose is an OpenSSL thing lumping together all these things.