[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A proxy certificate validation question.
Yes, while both the basic constraints with CA != True and the
critical extension should cause a failure in that case, the basic
constraints failure should come first per processing rules.
Stephen Kent wrote:
> I think David Cooper's response is correct, i.e., because the issuer of
> the proxy cert is an EE, and an EE is NOT normally allowed to pose as a
> CA, the cert path validation should fail if an RP is not aware of the
> special processing required for a proxy cert.