[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: X.509, PKIX, and pathLenConstraint
- To: "David A. Cooper" <david.cooper@xxxxxxxx>
- Subject: Re: X.509, PKIX, and pathLenConstraint
- From: David Simonetti <dsimonetti@xxxxxxxxxxxx>
- Date: Tue, 06 Mar 2001 20:48:48 -0500
- Cc: PKIX <ietf-pkix@xxxxxxx>
- References: <4.2.2.20010306085509.00a1fef0@email.nist.gov> <4.2.2.20010306151207.00a84df0@email.nist.gov> <4.2.2.20010306154419.00a81870@email.nist.gov>
David,
You and Sharon make a good point:
"David A. Cooper" wrote:
> David,
>
> I think I'm starting to see where the problem lies. I disagree with you belief that including pathLenConstraint=0 means that "CA1 does not want CA2 to further issue CA certs". I believe that CA1 is only making a statement about which certificates it wishes its own relying parties to validate.
With this perspective, the only way that CA1 can constrain CA2 is by policy. Thus, it should be technically feasible for CA2 to issue CA3 a certificate, where CA1 may rely upon CA3 for the purposes of issuing CRLs, but not issuing certificates. In this way, CA3 is treated like any entity that CA2 may assign the function of issuing CRLs (or, acting as any other EE, signing any data object other than a certificate).
To achieve this, as Tim previously noted, 6.1.5 currently supports this through omission. However, to 4.2.1.10, I suggest the addition of "intermediate", and I believe the note merits elevation to in-line text as follows:
"The pathLenConstraint field is meaningful only if cA is set to TRUE. In this case, it gives the maximum number of *intermediate* CA certificates that may follow this certificate in a certification path. One end-entity certificate will follow the final CA certificate in the path. The last certificate in a path is considered an end-entity certificate, whether the subject of the certificate is a CA or not."
Thoughts?
--
David Simonetti
Securify (www.securify.com), 410-356-2260