[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CA=True for an OCSP certficat

To: pkix <ietf-pkix@xxxxxxx>
Subject: CA=True for an OCSP certficat
From: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Date: Wed, 02 Apr 2008 12:52:42 +0200
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.9 (X11/20061206)

RFC 3280 specifies for Basic constraints

The cA boolean indicates whether the certified public key belongs to a CA.If the cA boolean is not asserted, then the keyCertSign bit in

  the key usage extension MUST NOT be asserted.

  The pathLenConstraint field is meaningful only if the cA boolean is
  asserted and the key usage extension asserts the keyCertSign bit
  (section 4.2.1.3).  In this case, it gives the maximum number of non-
  self-issued intermediate certificates that may follow this
  certificate in a valid certification path.  A certificate is self-
  issued if the DNs that appear in the subject and issuer fields are
  identical and are not empty.  (Note: The last certificate in the
  certification path is not an intermediate certificate, and is not
  included in this limit.  Usually, the last certificate is an end
  entity certificate, but it can be a CA certificate.)  A
  pathLenConstraint of zero indicates that only one more certificate
  may follow in a valid certification path.  Where it appears, the
  pathLenConstraint field MUST be greater than or equal to zero.  Where
  pathLenConstraint does not appear, no limit is imposed.

  This extension MUST appear as a critical extension in all CA
  certificates that contain public keys used to validate digital
  signatures on certificates.  This extension MAY appear as a critical
  or non-critical extension in CA certificates that contain public keys
  used exclusively for purposes other than validating digital
  signatures on certificates.  Such CA certificates include ones that
  contain public keys used exclusively for validating digital
  signatures on CRLs and ones that contain key management public keys
  used with certificate enrollment protocols.  This extension MAY
  appear as a critical or non-critical extension in end entity
  certificates.

There seems to be twao conflicting definitions of what is a CA certficate:
- a cert that has CertSign set

Usually, the last certificate is an end
  entity certificate, but it can be a CA certificate.


- one that 'belongs to a CA'

uch CA certificates include ones that
  contain public keys used exclusively for validating digital
  signatures on CRLs and ones that contain key management public keys

used with certificate enrollment protocols.

Is a CRL-Signer and end entity? What is an end -entity? Something that
does not have CertSign as keyusage?


My reading  that OCSPsigner or time stamp authorities or
SCVP responders, etc can have CA=TRUE when they 'belong to a CA'.
Are such things are 'end entities'?


Thanks in advance for any comment.
Peter


--

To verify the signature, see http://edelpki.edelweb.fr/Cela vous permet de charger le certificat de l'autorité;die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: CA=True for an OCSP certficat
  - From: Stephen Kent

Prev by Date: Scarlett Johansson topless pics revealed
Next by Date: Watches, handbags, shoes and more
Previous by thread: Scarlett Johansson topless pics revealed
Next by thread: Re: CA=True for an OCSP certficat
Index(es):
- Date
- Thread