[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Open Issue in Part1: path length constraints

To: dpkemp@xxxxxxxxxxxxxx
Subject: RE: Open Issue in Part1: path length constraints
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Fri, 9 Mar 2001 05:32:05 (NZDT)
Cc: ietf-pkix@xxxxxxx
Reply-to: pgut001@xxxxxxxxxxxxxxxxx
Sender: pgut001@xxxxxxxxxxxxxxxxx

"David P. Kemp" <dpkemp@xxxxxxxxxxxxxx> writes:

>Consider the following certificates:
>
>#  cA   CertSign  cRLSign    Effect
>- ----- --------  -------   ------------
>0  F     0         0        End Entity
>1  F     0         1        End Entity (can sign CRLs)
>2  F     1         0        End Entity
>3  F     1         1        End Entity (can sign CRLs)
>4  T     0         0    (Illegal*) Is a CA but can't sign certs or CRLs
>5  T     0         1    (Illegal*) Is a CA, can sign CRLs only
>6  T     1         0        CA, can sign certs
>7  T     1         1        CA, can sign certs and CRLs
>
>* As Dave S. points out, 4.2.1.10 prohibits cert types 4 and 5.

What about 2 and 3?  They can sign certs but they're not a CA, wouldn't this be
illegal?  (I proposed 2 in my autonomous certs draft for people who have
signing certs who want to issue their own encryption certs without going
through a CA, but apart from that special use I'm not sure what the semantics
for this combination are).

Peter.

Prev by Date: RE: Open Issue in Part1: path length constraints
Next by Date: RE: I-D ACTION:draft-ietf-pkix-rfc2510bis-03.txt (and rfc2511bis-01.txt)
Previous by thread: RE: Impersonation Certificates - finding IC's
Next by thread: Übersetzer-Info
Index(es):
- Date
- Thread