Peter Sylvester wrote:
Yes, it doesn't. On the other hand, it just say it can occur inside them, it doesn't say which value should be used.RFC 3280 says: This extension MAY appear as a critical or non-critical extension in CA certificates that contain public keys used exclusively for purposes other than validating digital signatures on certificates. Such CA certificates include ones that contain public keys used exclusively for validating digital signatures on CRLs and ones that contain key management public keys used with certificate enrollment protocols. This does not exclude OCSP, SCVP, DVCS responders, TSAs, LTAP servers XKMS services or whatever else you might associate to a CA.
I'm now certain it matters even more that I thought, and also that my interpretation was too open.The basic constraints extension identifies whether the subject of the certificate is a CA ... The cA boolean indicates whether the certified public key belongs to a CA. I don't think that this really matters.
I've just checked what exactly X.509/200508 says about it. http://www.itu.int/rec/T-REC-X.509-200508-I/enWell it's a similar text, but the differences make it a lot clearer about what the intent is :
8.4.2.1 Basic constraints extensionThis field indicates if the subject may act as a CA, with the certified public key being used to verify certificate
signatures. [...]The cA component indicates if the certified public key may be used to verify certificate signatures.
So here we are, one should only set cA=true on keys that are intended to sign other certificates.