[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: basic constraints?

To: "Tim Dierks" <timd@xxxxxxxxxxxxx>
Subject: Re: basic constraints?
From: "Atila Xavier" <atila@xxxxxxxxxxxxxxxx>
Date: Wed, 25 Jun 1997 11:09:34 -0300
Cc: <ietf-pkix@xxxxxxxxxx>
Reply-to: "Atila Xavier" <atila@xxxxxxxxxxxxxxxx>

>Several questions and comment regading basic constraints:
>
>Q: How do you count the depth of a certification path? Is a simple
>single-CA model (self-signed root CA signs leaf cert- now that's a small
>tree) a path depth of 0, 1, or 2? (or 7, for all I know). Also, how does
>this work for sub-CAs? If I have the following chain:
>
>    Root - CA1 - CA2 - Leaf
As the recommendation X.509 (in Amendment 1 to ITU-T Rec. X.509 -1993 E) says, this field gives the maximum number of CA-certificates that may follow a certificate in a certification path. 
In your example, the minimum values would be:
Root: 2
CA1: 1
CA2: 0

Leaf: not present

It's important to remember that this component shall be present only if the "cA"  component is set to true.

>What are the minimum valid values for the CA's pathLenConstraint? 
The minimum value is 0, meaning that the subject of the certificate may issue certificates only to end-entities and not to further CAs.

>Also, if
>the optional pathLenConstraint is missing, what does this imply? No limit?
If this field doesn't appear in any certificate of a certification path, there is no limit to the allowed length of the certification path. If it's set in any certificate, that value will impose the limit of the certification path. 
So, talking about your example, the values would be:
Root: 2
CA1: not present
CA2: not present
Leaf: not present
The value for the root certificate defines the maximum length for the certification path.

Atila.
System Engineer
CertiSign - Certificadora Digital Ltda.

Prev by Date: Re: basic constraints?
Next by Date: RE: Authority Revocation List
Previous by thread: Re: basic constraints?
Next by thread: CMP Spec
Index(es):
- Date
- Thread