Re: basic constraints?

[Nick Pope <pope@xxxxxxxxxxxxxxxxxxx>]

In reply to your message of 25 Jun 97, 3:40:

> Several questions and comment regading basic constraints:
> 
> Q: How do you count the depth of a certification path? Is a simple
> single-CA model (self-signed root CA signs leaf cert- now that's a
> small tree) a path depth of 0, 1, or 2? (or 7, for all I know). Also,
> how does this work for sub-CAs? If I have the following chain:
>
This is fuller explained in the X.509 '97 base standard than in the 
PKIX document.   It states "Value 0 indicates that the subject of this 
certificate may issue certificates only to end-entities and not to 
further CAs."

>     Root - CA1 - CA2 - Leaf

Thus in your example:

Certificate Subject   PathLenConstraint (min value)
  Leaf                     Not present
  CA2                     0
  CA1                     1
  Root                     2
> 
> What are the minimum valid values for the CA's pathLenConstraint?
> Also, if the optional pathLenConstraint is missing, what does this
> imply? No limit?

Yes if not present then no limit.
> 
> C: Basic constraints should probably be mentioned in section 6,
> Certificate Path Validation.
> 
Quickly looking through the PKIX part 1 section 6 there seems to be 
some major discrepancies between this and the equivalent clause 12.4 in 
X.509 (e.g. it refers to the "key usage restiction extension" which 
no longer exists).

I would suggest that you refer to the '97 version of the X.509 text for 
the definitive use of X.509 fields including the use of basic 
constraints.

Nick Pope

-------------------------------------


Security & Standards
Suite A
191 Moulsham St.
Chelmsford
Essex
CM2 0LG
U.K.

Tel: +44 1245 495018
Fax: +44 1245 494517