[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CA vs. EE cert processing

To: ietf-pkix@xxxxxxx
Subject: Re: CA vs. EE cert processing
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Fri, 9 Apr 1999 14:05:43 -0400 (EDT)
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Reply-to: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

> From: John_Wray@iris.com
> 
> It's purely deterministic.  If PKIX mandated the presence of the
> basicConstraints extension, then a verifier could, without any
> outside knowledge, immediately categorize a certificate as
> "CA cert", "EE cert" or "Unknown (and not PKIX-compliant)".

A verifier doesn't need to categorize a particular certificate,
it needs to validate a path.  You are proposing to change the
requirements on EE certs; CA certs are *unaffected* by the proposal.
It doesn't make any difference to the verifier whether the last
cert in a path is definitely an EE, definitely a CA, or unknown.
All that matters is that every cert but the last is definitely
a CA, and requiring a CA=false flag in every EE cert does not
affect the validity of the path.

Software which returns either "valid" or "invalid" when presented
with a path containing ambiguous certs will not change its behavior,
regardless of whether EE cert requirements are changed.



> If they pick (ii), then PKIX would be fine whether or not we required
> basicConstraints in EE certs, and the ambiguity would slowly vanish as
> systems that generate un-extended CA certs come into compliance with
> X.509.  However, even V1 certs haven't yet vanished from the world,
> so I imagine this process is likely to take a long time, so having all
> PKIX certs contain the extension is still a win as it eliminates the
> ambiguity immediately.

Why do you assume that putting the extension into CA certs in response to
a change in X.509 would take a long time, but that putting it into EE
certs in response to a change in PKIX would happen immediately?
There are a lot fewer of the former.  And though we might not wish to
believe it, there might be people out there who use X.509 but not the PKIX
profile :-).  Picking option (ii) would help everyone, not just those in
the Internet universe.


> It seems that in all cases, having PKIX generate certificates
> that are unambiguous under today's X.509 is worthwhile.

How much current software would be helped by changing the requirements
on EE certs (i.e. would magically start behaving differently if PKIX
were modified)?

  My answer: none.

How would changing PKIX affect the development of new verifying software
(i.e. what would new software do differently if PKIX is changed vs.
not changed, recognizing that up to 3 types of certs -
non-RFC2459 X.509, RFC2459, and new-modified-PKIX - will be around
for a while)?

  My answer: nothing.

Follow-Ups:
- Re: CA vs. EE cert processing
  - From: Moshe Litvin

Prev by Date: Re: CA vs. EE cert processing
Next by Date: RE: CMP message format. A naive question
Previous by thread: Re: CA vs. EE cert processing
Next by thread: Re: CA vs. EE cert processing
Index(es):
- Date
- Thread