[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
When to set CA = True ?
This is a subsidiary discussion on the "CA=True for an OCSP certficate"
subject in order to determine which certificates exactly can have the
CA=True set.
In a talk with me (outside of the list), Peter interpreted that the
4.2.1.10 Basic Constraints chapter sentence, "The cA boolean indicates
whether the certified public key belongs to a CA." means that all
certificates technically operated by the CA may have the CA=True bit set.
I'm not fully satisfied with that because it means that any kind of
certificates used by a CA will have the cA boolean set which will
probably not be very well interpreted by softwares and dilutes the
meaning of that bit.
Also it goes in the opposite direction of this sentence in chapter
"4.1.2.6 Subject"
If the subject is a CRL
issuer (e.g., the key usage extension, as discussed in 4.2.1.3, is
present and the value of cRLSign is TRUE)
which allows even a crl issuer cert to not have the cA boolean set, so
goes in the direction of "few certificates should have the cA boolean
set to true".
Rereading also this in chapter "4.1.2.6 Subject"
If
the subject is a CA (e.g., the basic constraints extension, as
discussed in 4.2.1.10, is present and the value of cA is TRUE), then
the subject field MUST be populated with a non-empty distinguished
name matching the contents of the issuer field (section 4.1.2.4) in
all certificates issued by the subject CA
and the first sentence of "4.2.1.10 Basic Constraints"
The basic constraints extension identifies whether the subject of the
certificate is a CA
as well as the rest of the text, I'm more in favor of another
interpretation that in my opinion underlines the whole text but is not
explicitly enough described.
A CA (as has been already lengthy discussed here) is defined by it's DN.
Every certificate that have the same DN design the same CA.
So when the text says "If the subject is a CA" - "the subject of the
certificate is a CA", this mean quite clearly "when the DN in the
subject identifies a CA entit"y, and so only certificate whose subject
is equal to the subject of a CA entity may have the CA=True bit set.
Going further I'd suggest that it would make things a lot clearer and
more precisely determinated to make it a must that all certificates
emitted with a subject that is the DN of a CA entity MUST have the basic
Constraint cA boolean set to true, and all certificates emitted with a
subject that is not the DN of a CA entity MUST NOT have the basic
Constraint cA boolean set to true.
The point in chapter "4.1.2.6 Subject" that allows a CRL Issuer to not
have the cA boolean set to true would then correspond to the fact that
when the CRL Issuer entity is also acting as a CA, it MUST have the cA
boolean set to true, but when the CRL Issuer is a delegated crl issuer
that does not also act as a CA entity, it MUST NOT have it set.
This would make things a lot less fuzzy by providing clear guidance on
when to set that bit.
This been said I know at least one CA that does not set the cA boolean
true on it's crl issuer certificate, despite it not being a delegated
crl issuer (Crl verification relies on the fact the DN is the same as
the DN of the CA).
That approach would be the "let's never set the cA boolean true except
on certificates that sign other certificates" approach which can also
make sense, because in the current state of things they are the only
ones that actually require that bit.