[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: basic constraints?

To: ietf-pkix@xxxxxxxxxx
Subject: Re: basic constraints?
From: dpkemp@xxxxxxxxxxxxxx (David P. Kemp)
Date: Wed, 25 Jun 1997 09:52:30 -0400

The X.509 documentation is clear on this, but it hasn't been copied or
paraphrased into PKIX yet.

  "The pathLenConstraint component shall be present only if cA is set to
  true. It gives the maximum number of CA-certificates that may follow
  this certificate in a certification path. Value 0 indicates that the
  subject of this certificate may issue certificates only to end-entities
  and not to further CAs. If no pathLenConstraint field appears in any
  certificate of a certification path, there is no limit to the allowed
  length of the certification path."


That said, the BasicConstraints extension is (IMO) an example of needless
complexity.  It is defined as:

  BasicConstraints ::= SEQUENCE {
      cA                 BOOLEAN DEFAULT FALSE,
      pathLenConstraint  INTEGER (0..MAX) OPTIONAL }


where it could have been defined much more simply as:

  BasicConstraints ::= INTEGER (0..MAX)

with the integer representing the total number of certs (including the
leaf) that may follow this certificate in the certification path.  I.e.
0 indicates not-a-CA, 1 indicates only end-entity certs may be issued,
2 indicates only one CA may follow, etc.

This is one example (the AuthorityKeyIdentifier extension is a more
egregious one) where I agree with the SPKI criticism that the use of
ASN.1 seduces designers into unnecessarily obtuse constructs.

Prev by Date: RE: Authority Revocation List
Next by Date: Re: basic constraints?
Previous by thread: RE: Padding in the context of signature algorithms
Next by thread: Re: basic constraints?
Index(es):
- Date
- Thread