[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: basic constraint extension

To: Petra.Gloeckner@xxxxxxxxxxxxxxxx, ietf-pkix@xxxxxxx
Subject: Re: basic constraint extension
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Thu, 24 Sep 1998 23:59:34 (NZST)
Reply-to: pgut001@xxxxxxxxxxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxx

>the draft-ietf-pkix-ipki-part1-10 says the basic constraint extension MUST 
>appear as a critical extension in all CA certificates but it SHOULD NOT 
>appear in end entity certificates.
>
>Why should the basic constraint extension not appear in end entity 
>certificates? 
 
Looking back through the different versions, this has been in there since at 
least -08, although not worded quite as strongly as this.  It seems like a Bad 
Thing, since this clashes with the (US) federal profile and Australian profile 
and... well I'm not going to enumerate them all, but unless there's some 
really good reason for it I don't see why it should be absent, especially 
since the generally accepted way (other profiles notwithstanding) seems to be 
to encode it as an empty sequence in end-user certs.
 
Peter.

Prev by Date: Re: X.509 Documentation
Next by Date: NEW Data type for certificate selection ?
Previous by thread: X.509 Documentation
Next by thread: NEW Data type for certificate selection ?
Index(es):
- Date
- Thread