RFC 3280 says: This extension MAY appear as a critical or non-critical extension in CA certificates that contain public keys used exclusively for purposes other than validating digitalsignatures on certificates. Such CA certificates include ones that
contain public keys used exclusively for validating digital signatures on CRLs and ones that contain key management public keysused with certificate enrollment protocols.
This does not exclude OCSP, SCVP, DVCS responders, TSAs, LTAP serversXKMS services or whatever else you might associate to a CA.
A technical of CA=true is only associated to CertSigners (in thepath validation routine, and in the keyusage requirements. Other protocols/usages are not concerned. One may conclude from the text in 3280 that if issuer=subject then CA=true must be set. but I am not sure because of the difference in the first and second sentence in the description of basic constraints.
The basic constraints extension identifies whether the subject of thecertificate is a CA ...
The cA boolean indicates whether the certified public key belongs toa CA. I don't think that this really matters.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature