[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A proxy certificate validation question.

To: Stephen Kent <kent@xxxxxxx>
Subject: Re: A proxy certificate validation question.
From: Von Welch <vwelch@xxxxxxxx>
Date: Wed, 07 Jan 2009 17:16:41 -0600
Cc: vwelch@xxxxxxxxxxxx, Simon Josefsson <simon@xxxxxxxxxxxxx>, "Timothy J. Miller" <tmiller@xxxxxxxxx>, "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: NCSA
References: <4964DEFF.9080000@xxxxxxxxx> <87aba33tpd.fsf@xxxxxxxxxxxxxxxxxxx> <49651DFF.9040809@xxxxxxxx> <>
Reply-to: vwelch@xxxxxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.19 (Macintosh/20081209)

Steve,

 Yes, while both the basic constraints with CA != True and the
critical extension should cause a failure in that case, the basic
constraints failure should come first per processing rules.

Von

Stephen Kent wrote:
> 
> Von,
> 
> I think David Cooper's response is correct, i.e., because the issuer of
> the proxy cert is an EE, and an EE is NOT normally allowed to pose as a
> CA, the cert path validation should fail if an RP is not aware of the
> special processing required for a proxy cert.
> 
> Steve

Follow-Ups:
- RE: A proxy certificate validation question.
  - From: Hallam-Baker, Phillip

References:
- A proxy certificate validation question.
  - From: Timothy J. Miller
- Re: A proxy certificate validation question.
  - From: Simon Josefsson
- Re: A proxy certificate validation question.
  - From: Von Welch
- Re: A proxy certificate validation question.
  - From: Stephen Kent

Prev by Date: Re: A proxy certificate validation question.
Next by Date: RE: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
Previous by thread: Re: A proxy certificate validation question.
Next by thread: RE: A proxy certificate validation question.
Index(es):
- Date
- Thread