RE: CA=True for an OCSP certficat

[Stephen Kent <kent@xxxxxxx>]

At 9:06 AM -0400 4/3/08, Santosh Chokhani wrote:
> Peter,
>
> RFC 3280 is pretty clear on what determines a CA.  It is based on 
> basic constraints for version 3 certificates and out of band means 
> for version 1 and 2.  See section 4.2.1.10 (Basic Constraints) and 
> step k in Section 6.1.4.
>
> RFC 3280 is also clear that CA certificate need not contain key 
> usage extension, let alone have key cert Sign bit.   See step n in 
> Section 6.1.4.

I was not looking at the validation algorithm, but rather at our 
definitions of extensions. I think it is very unfortunate to have a 
mismatch between the two, as you describe.

What do others think?

Steve