RE: CA vs. EE cert processing

[Stephen Kent <kent@xxxxxxxxxxx>]

Alan,

>X.509 defines that Basic Constraints is used to indicate that the public
>key in the cert is valid for testing certificate signatures - by a
>certificate using system eg. a client or EE. By definition it means that
>in  (eg.) a 3 tier CA model that the root level CA has granted a private
>and public key ( in a cert with BC set to CA) to a middle level CA to
>issue certificates with and "advertise the fact (in its certificate)
>that the root trusts the middle CA to issue certs and for clients to
>validate such certs using the middle CAs public key.
>
>It strikes me that any PKIX compliant top level ROOT CA will set this
>extension to ensure that the correct PKeys are used to validate certs
>which point to itself. However, what the client software does with this
>extension is another matter. Both have to be compatable. If an EE in its
>validation path gets a cert with which it wants to validate a lower
>level certificate with and this extension is not set - it should give up
>- if ideology is maintained. However, X.509 permits an exit to this
>process to enable a CA path to be built and validated without cert
>extensions - simply because that is what they are - optional certificate
>extensions.

This is a very muddled description that I have a bit of trouble following.
For example, the root CA in your example would not, in general, grant "a
private and public key" to another CA.  Do you mean the root CA would sign
a cert with the publci key of the middle CA?  Please restate your argument
using terms from X.509 and/or 2459 so I, and maybe others, can more clearly
understand your point.

Steve