[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: keyCertSign and cRLSign Key Usage Bits

To: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: keyCertSign and cRLSign Key Usage Bits
From: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Date: Tue, 24 Apr 2001 11:22:25 -0400

Title: RE: keyCertSign and cRLSign Key Usage Bits

Russ: I agree with the text.

I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI).

But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension.

-----Original Message-----
From: Housley, Russ [mailto:rhousley@xxxxxxxxxxxxxxx]
Sent: Tuesday, April 24, 2001 10:37 AM
To: ietf-pkix@xxxxxxx
Subject: keyCertSign and cRLSign Key Usage Bits

The consensus on these bits is not totally clear to me. Yet, several
points have been consistently, and I think that the following text
incorporates them. The debate regarding he linkage between these bits and
the cA bit in the basic constraints extension does not seem to be over, and
I have not made any changes in that area. Please use this new thread to
discuss any remaining unresolved points.

       The keyCertSign bit is asserted when the subject public key is
       used for verifying a signature on public key certificates. This
       bit MUST only be asserted in CA certificates. If the keyCertSign
       bit is asserted, then the cA bit in the basic constraints
       extension (see 4.2.1.10) MUST also be asserted. If neither the
       cRLSign bit nor the keyCertSign bit are asserted, then the cA bit
       in the basic constraints extension MUST NOT be asserted.

       The cRLSign bit is asserted when the subject public key is used
       for verifying a signature on a certificate revocation list (e.g.,
       a CRL or an ARL). This bit MUST be asserted in CA and Attribute
       Authority (AA) certificates that are used to verify signatures on
       CRLs. If the cRLSign bit is asserted in a CA certificate, then
       the cA bit in the basic constraints extension (see 4.2.1.10) MUST
       also be asserted. If the cRLSign bit is asserted in a AA
       certificate, then the cA bit in the basic constraints extension
       MUST NOT be asserted. Such AA certificates MUST NOT be used to
       verify signatures on CRLs containing revocation information for
       public key certificates; however, these AA certificates MAY be
       used to verify signatures on CRLs containing revocation
       information concerning attribute certificates. If neither the
       cRLSign bit nor the keyCertSign bit are asserted, then the cA bit
       in the basic constraints extension MUST NOT be asserted.

Russ

Prev by Date: keyCertSign and cRLSign Key Usage Bits
Next by Date: RE: Dedicated CRL signing keys
Previous by thread: Re: keyCertSign and cRLSign Key Usage Bits
Next by thread: RE: keyCertSign and cRLSign Key Usage Bits
Index(es):
- Date
- Thread