[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: basicConstraints with CA=False in EE certs

To: chris.gilbert@xxxxxxxxxxxxx, ietf-pkix@xxxxxxx, pgut001@xxxxxxxxxxxxxxxxx, tim.polk@xxxxxxxx
Subject: Re: basicConstraints with CA=False in EE certs
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Tue, 11 Mar 2003 14:28:10 +1300
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Tim Polk <tim.polk@xxxxxxxx> writes:

>As Peter implies, since the certificates include the extension but omit the
>boolean "which is the right thing to do", they are compliant with both RFC
>3280 and X.690.  No conflict here!

It's actually incompatible with RFC 2459, and only marginally compatible with
3280:

RFC 2459:

  This extension SHOULD NOT appear in end entity certificates.

RFC 3280:

  This extension MAY appear as a critical or non-critical extension in end
  entity certificates.

The 2459 text excludes it, and the 3280 text makes it highly optional, when in
fact it's "this had better be there or else" ("MUST", I think, would be the
accepted term).  At the current rate of RFC progression, I calculate that
it'll have made it up to "MUST" in [lunga pausa] 2008.

Peter.

Prev by Date: RE: Certificate Policies (was Re: Trivial PKI Question)
Next by Date: RE: basicConstraints with CA=False in EE certs
Previous by thread: Re: basicConstraints with CA=False in EE certs
Next by thread: RE: basicConstraints with CA=False in EE certs
Index(es):
- Date
- Thread