Re: Certificate Path Validation

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Sunil,

> Dear PKIX WG:
> 
> I need some help on Certificate Path Validation.
> 
> If my trust anchor is a non self signed certificate, what should be the
> contents of the initial permitted_subtrees.

Any name restriction, if any, you want to apply for that trust anchor.

> permitted_subtrees is defined as "a set of root names for each name type
> (e.g., X.500 distinguished names, email addresses, or ip addresses) 
> defining a set of subtrees within which all subject names in subsequent 
> certificates in the certification path MUST fall".
> 
> The RFC 3280, section 6.1.2, subsection b, says
> 
> "the initial value for the set for Distinguished Names is the set of all
> Distinguished names;"
 
> So is the RFC recommending ignoring the Name constraints extension (if
> present) in the CA certificates that are higher in the hierarchy that 
> the trust anchor ?

There exist no "CA certificates that are higher in the hierarchy that the
trust anchor". So the sentence is not correct.

If the trust anchor contains name restrictions, then they MUST be used as
part of the initial permitted_subtrees. In addition, you can apply
additional name restrictions. This means that the initial permitted_subtrees
conditions may come both from name restritions contained in the self-signed
certificate (if any) and from name restrictions external to the trust anchor
(which may or may not be specified in the form of a self-signed
certificate). 
 
> Is the recommendation same for excluded_subtrees and other policies?

The same phylosohy applies.

Regards,

Denis

> TIA,
> Sunil