Re: Open Issue in Part1: path length constraints, RE: X.509, PKIX, and pathLenConstraint

["Hiroyuki Sakakibara" <sakaki@xxxxxxxxxxxxxxxxxxx>]

Hi

The path validation algoritm, acctually,
does not check value in basicConstraints in the end cert,
whether it viorates calculated max_path_length or not.

I think that one solution is checking basicConstraints component value
in the end cert with calculated max_path_length value
outside "path validation" logic.

Because some application software always validate end-entity
certs only,
so may know that an end-entity cert(the end cert in a path) always
has cA=FALSE (or basicConstraints extension is absent).

This is not general case, but may be typical in implementing application
softs.

I think that many softwares would check keyUsage value in a end-cert in
similar way.
For example, in some secure e-mail systems,
a software would accepts only a cert with keyUsage with digitalSignature bit
on
for verifying a signature of a e-mail message.

I think that certification a path validation phase and
checking contents of the end cert
( except items which can be validated by the path validation algorithm
automatically) phase are different.

Sharon Boeyen>In the path validation process, from a path length constraints
standpoint it
Sharon Boeyen>should make no difference what the final cert is used for, nor
does it matter
Sharon Boeyen>what type of data was signed with the certified key. The
constraint on the
Sharon Boeyen>path is still the same. The final cert and the one containing
the constraint do
Sharon Boeyen>not count against the constraint. Is that point agreed? I want
to separate
Sharon Boeyen>these so I'll know if the DR is ok to progress.

---------------------------------------
Hiroyuki Sakakibara
MITSUBISHI ELECTRIC CORPORATION
Information Technology R&D Center
5-1-1 Ofuna, Kamakura, Kanagawa, Japan
PHONE: +81-467-41-2183
FAX:   +81-467-41-2185
E-mail : sakaki@xxxxxxxxxxxxxxxxxxx