RE: CA=True for an OCSP certficat

["Santosh Chokhani" <SChokhani@xxxxxxxxxxxx>]

See the following paragraph in Section 6.1 of 3280bis

"While the certificate and CRL profiles specified in sections 4 and 5
   of this document specify values for certificate and CRL fields and
   extensions that are considered to be appropriate for the Internet
   PKI, the algorithm presented in this section is not limited to
   accepting certificates and CRLs that conform to these profiles.
   Therefore, the algorithm only includes checks to verify that the
   certification path is valid according to X.509 and does not include
   checks to verify that the certificates and CRLs conform to this
   profile.  While the algorithm could be extended to include checks for
   conformance to the profiles in sections 4 and 5, this profile
   RECOMMENDS against including such checks."

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of Jean-Marc Desperrier
Sent: Friday, April 04, 2008 4:00 AM
To: pkix
Subject: Re: CA=True for an OCSP certficat


Stephen Kent wrote:
> I was not looking at the validation algorithm, but rather at our 
> definitions of extensions.
> I think it is very unfortunate to have a mismatch between the two, as 
> you describe.
>
> What do others think?
I think the mismatch between the two is by design : Be lenient in what 
you accept, strict in what you produce.

The validation algorithm defines what RFC 3280 accepts, the rest of the 
text what it produces, and it would be good to write this explicitly 
somewhere so that there's no confusion.
Especially this mean the validation algorithm should not be used a 
reference text to help define the certificate format of RFC 3280.