Right, bu you have valid certificates that do not fall into these three catagories. If "End Entity" means CA=false, then there is a forth case with "Other CA certficate".The interface of the tools enable to specify which of the tree types the input is. There's also an option "Auto-Detect" which as any "Auto-Detect" option will do it's best effort to determine the right type. That option is guaranteed to give the right result for any valid Certificate Signer, CRL Signers or EE Cert.
But when confronted with a cert that has CA=True but no Cert signing and no CRL signing in key usage and therefore is :But such a certficate is completely valid according RFC 3280. The three categories- not a valid Certificate Signer - not a valid CRL Signer - not a valid EE Certthe one Auto-Detect will pick is a random choice, knowing that the tool will report the cert is invalid and therefore rejected
do not cover all possibilities.I agree that for CA=false and keyusage=certsign you cannot determine a valid category.
The definitions are problematic: You can have a certficate which is Certficate Signer and CRL Signer. And you can have certificates of a CA which are not usable for cert/crl signing. If you don't have injection such as for a certificat with certsign and crlsign, but slightly changing the definition to CRL signer "only" (with certsigning), the first problem can be solved (and
as far as I see, the tool implements exactly this.)The problem is that there is no surjection in the above three cases. There is no category that you can explicitely select, and obviously, you cannot determine it. Either there is a forth case of you modify the last to mean "EE cert or other CA certs (no CRL sign, no cert sign)"
This is my main point Peter. The Auto-Detect option is inadequate for such a certificate.
As well as the three explicit options.
When the cert is invalid, how could anybody *know for sure* what the person producing it intended to do ?But the cert in question IS valid: As long as the categories do not completely cover the
space of valid certficates, there is a problem.For invalid certficates, i.e. invalid combinations of the values of basicconstraints and keyusage,
auto detection does not work indeed.
Therefore there's no reason to care as much as you do for the result, Auto-Detect is a convenience but just don't use it when a predictable result is really important.
--To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature