[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Open Issue in Part1: path length constraints

To: Stephen Kent <kent@xxxxxxx>
Subject: Re: Open Issue in Part1: path length constraints
From: David Simonetti <dsimonetti@xxxxxxxxxxxx>
Date: Tue, 06 Mar 2001 17:09:05 -0500
Cc: ietf-pkix@xxxxxxx
References: <> <>

Steve,

Stephen Kent wrote:

>  I see there is considerable
> sentiment to allow for non-CA flagged entities to sign CRLs, but I'm
> not yet sure I understand why folks consider it important to not turn
> on the CA flag in certs for such entities. After all, since we have
> separate key usage bits for cert and CRL signing, we can construct a
> cert for an entity that signs CRLs and not grant that entity the
> ability to sign certs, if we so desire.
>

I don't think so.  From Section 4.2.1.10:

"If the cA bit is asserted, then the keyCertSign bit in the key usage extension
(see 4.2.1.3) MUST also be asserted."

--
David Simonetti
Securify (www.securify.com), 410-356-2260

Follow-Ups:
- Re: Open Issue in Part1: path length constraints
  - From: Stephen Kent

References:
- RE: Open Issue in Part1: path length constraints
  - From: David P. Kemp
- RE: Open Issue in Part1: path length constraints
  - From: Stephen Kent

Prev by Date: RE: Open Issue in Part1: path length constraints
Next by Date: RE: DER encoding of KeyUsage BIT STRING
Previous by thread: RE: Open Issue in Part1: path length constraints
Next by thread: Re: Open Issue in Part1: path length constraints
Index(es):
- Date
- Thread