Hello all, the draft-ietf-pkix-ipki-part1-10 says the basic constraint extension MUST appear as a critical extension in all CA certificates but it SHOULD NOT appear in end entity certificates. Why should the basic constraint extension not appear in end entity certificates ? Is it purely to safe some bits or is there another reason, like keeping the draft more flexibel, e.g. to allow an end entity to issue a certificate for his encryption key himself using his signature key and certificate ? In general, is it possible for an end entity to use his signature key and certificate to issue a certificate for his encryption key himself ? Or do you have to have the CA bit set to true in your certificate in order to be able to issue certificates for your own encryption keys ? Any ideas and thoughts are welcome ! Best regards - Petra
begin: vcard fn: Petra Glöckner n: ;Petra Glöckner org: GMD-TKT email;internet: Petra.Gloeckner@darmstadt.gmd.de x-mozilla-cpt: ;0 x-mozilla-html: FALSE version: 2.1 end: vcard
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature