|
Faisal,
According to the X.509 standard 4th edition, there are
three types of self-issued certificate:
a) self-signed certificate (a special case of
self-issued certificates)
b) self-issued end certificate
c) self-issued intermediate certificate
(Please refer to section 8.1.5 of the X.509 standard 4th
edition.)
The definifion of self-issued certificate in RFC 3280 is
not aligned with its definition in the
X.509 standard. The so-called self-issued certificates in
RFC 3280 are mostly of type c) in
the X.509 standard. IMHO,
currently both X.509 standard and PKIX have no clear
definition for the format and the handling of self-issued
certificates of type b).
For self-issued certificates of type
c), I believe that the requirement is hidden in steps
(k) and (n) of section 6.1.4 of RFC
3280 as:
(k) Verify that the certificate is a CA
certificate (as specified
in a basicConstraints extension or as verified out-of-band). (n) If a key usage extension is present, verify
that the
keyCertSign bit is set. Note that rules (k) and (n) apply to all intermediate
certificates even if they are self-issued.
My interpretations to these two rule are:
For a v3 intermediate certificate (self-issued or not), it
should contain a basicConstraints extension
with cA=TRUE. For a v1 intermediate certificate
(self-issued or not), the RP need an out-of-band
method to make sure that it is a CA
certificate.
For a v3 intermediate certificate (self-issued or not), it
should contain a keyUsage extension
with keyCertSign bit asserted. For a v1 intermediate
certificate (self-issued or not), there is no
need to check the key usage but the RP must make
sure that it is a CA certificate.
Regards,
Wen-Cheng Wang
|