[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CA=True for an OCSP certficat

To: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Subject: Re: CA=True for an OCSP certficat
From: Stephen Kent <kent@xxxxxxx>
Date: Wed, 2 Apr 2008 19:23:27 -0400
Cc: pkix <ietf-pkix@xxxxxxx>
In-reply-to: <47F3657A.90402@xxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <47F3657A.90402@xxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Peter,

I expect the CA flag to be set to TRUE only in a cert used tovalidate signatures on other certs, and/or signatures on CRLs.

A cert for an EE contains no basic constraints extension, or one inwhich the CA flag is FALSE.

A cert issued to a service run by a CA, such as OCSP server or a timestamp server is not CA cert, but an EE cert, i.e., it is used toverify signatures on objects others than certs or CRLs, and thus itMUST not have the CA flag set TRUE.


Steve

Follow-Ups:
- Re: CA=True for an OCSP certficat
  - From: Peter Sylvester
- RE: CA=True for an OCSP certficat
  - From: Santosh Chokhani

References:
- CA=True for an OCSP certficat
  - From: Peter Sylvester

Prev by Date: Watches, handbags, shoes and more
Next by Date: RE: CA=True for an OCSP certficat
Previous by thread: CA=True for an OCSP certficat
Next by thread: RE: CA=True for an OCSP certficat
Index(es):
- Date
- Thread