[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CA=True for an OCSP certficat

To: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Subject: Re: CA=True for an OCSP certficat
From: Stephen Kent <kent@xxxxxxx>
Date: Thu, 3 Apr 2008 18:02:15 -0400
Cc: pkix <ietf-pkix@xxxxxxx>, Santosh Chokhani <chokhani@xxxxxxxxxxxx>
In-reply-to: <47F4AFFA.20503@xxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <47F3657A.90402@xxxxxxxxxx> <> <47F4AFFA.20503@xxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Title: Re: CA=True for an OCSP certficat

At 12:22 PM +0200 4/3/08, Peter Sylvester wrote:

Stephen and Santosh,
thanks for the answer.

The origin of my question:

A test tool that wants to distingusih 'CA certficates, CRLsigners and EE certs':
(CA certficates in the meaning: It can sign certificates).

Given the description of the problem you're solving, I think there are several ways to perform the checks, not just one right way.

IMO the way to proceed is:
A CA cert is one that has keyusage=keyCertSign
If not; If it has CRLsign, then it is a CRL signer
else it is an EE cert.

I am not comfortable declaring a cert to be an EE cert by default, without looking at the basic constraints extension.

One does not use basicconstrints to distinguish these types.

3280 does say that the keyCertSign bit is used to mark a CA cert, but the wording there is less "direct" than in the discussion of the basic constraints extension, i.e., 4.2.1.3 says

"The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (section 4.2.1.10) MUST also be asserted."

whereas 4.2.1.10 says:

"The cA boolean indicates whether the certified public key belongs to

a CA. If the cA boolean is not asserted, then the keyCertSign bit in the key usage extension MUST NOT be asserted."

This emphasizes the need for the CA flag to be TRUE, but also asserts the need for the keyCertSIgn bit to be set. so I would argue that checking the basic constraints extension is the preferred discriminator between a CA cert and an EE cert, but that's a minor point since both have to have the right values for a cert to be a valid CA cert.

As for a CR signer, the 4.2.1.10 says:

"If the subject is a CRL issuer (e.g., the key usage extension, as discussed in 4.2.1.3, is present and the value of cRLSign is TRUE) ..."

so your criteria here seems more appropriate.

Steve

References:
- CA=True for an OCSP certficat
  - From: Peter Sylvester
- Re: CA=True for an OCSP certficat
  - From: Stephen Kent
- Re: CA=True for an OCSP certficat
  - From: Peter Sylvester

Prev by Date: RE: CA=True for an OCSP certficat
Next by Date: RE: CA=True for an OCSP certficat
Previous by thread: Re: CA=True for an OCSP certficat
Next by thread: Watches, handbags, shoes and more
Index(es):
- Date
- Thread