[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Open Issue in Part1: path length constraints

To: David Simonetti <dsimonetti@xxxxxxxxxxxx>
Subject: Re: Open Issue in Part1: path length constraints
From: Stephen Kent <kent@xxxxxxx>
Date: Wed, 7 Mar 2001 14:40:22 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
References: <><> <>

David,

Steve,

Stephen Kent wrote:
  I see there is considerable
 sentiment to allow for non-CA flagged entities to sign CRLs, but I'm
 not yet sure I understand why folks consider it important to not turn
 on the CA flag in certs for such entities. After all, since we have
 separate key usage bits for cert and CRL signing, we can construct a
 cert for an entity that signs CRLs and not grant that entity the
 ability to sign certs, if we so desire.
I don't think so. From Section 4.2.1.10:

"If the cA bit is asserted, then the keyCertSign bit in the key usage extension (see 4.2.1.3) MUST also be asserted."

Good point; I missed that one!

So, if we adhere to this constraint we can't have an entity labelled as a CA but restricted to issuing only CRLs. So, we need to reconcile the various parts of the document to have a consistent, well-defined description of what folks can/should do to separate out CRL signing from cert signing.

Steve

References:
- RE: Open Issue in Part1: path length constraints
  - From: David P. Kemp
- RE: Open Issue in Part1: path length constraints
  - From: Stephen Kent
- Re: Open Issue in Part1: path length constraints
  - From: David Simonetti

Prev by Date: RE: Open Issue in Part1: path length constraints
Next by Date: RE: Open Issue in Part1: path length constraints
Previous by thread: Re: Open Issue in Part1: path length constraints
Next by thread: Re: Open Issue in Part1: path length constraints
Index(es):
- Date
- Thread