Re: CA vs. EE cert processing

[Moshe Litvin <moshe@xxxxxxxxxxxxxxxxxxx>]

David,

"David P. Kemp" wrote:

<snip>

>
> How much current software would be helped by changing the requirements
> on EE certs (i.e. would magically start behaving differently if PKIX
> were modified)?
>
>   My answer: none.
>
> How would changing PKIX affect the development of new verifying software
> (i.e. what would new software do differently if PKIX is changed vs.
> not changed, recognizing that up to 3 types of certs -
> non-RFC2459 X.509, RFC2459, and new-modified-PKIX - will be around
> for a while)?
>
>   My answer: nothing.

You are asking the wrong questions. The correct questions are:

How much current software would be helped by an EE certificate that contains
the basicConstraint (i.e. won't consider it as a CA certificate in the path
validation process)

    My answer: Every PKIX compliant software(*) and I guess a lot of non PKIX
compliant X.509 software.

How would changing PKIX affect the development of new issuing software
(i.e. what would new software do differently if PKIX is changed vs.
not changed)

    My answer: I guess that most CA vendor that consider the internet as their
market would follow it.

Change to PKIX won't change the verifying software, but its behavior will be
changes as a result in the change of the certificate.

Moshe

(*) PKIX compliant verifier MUST recognize the basicConstraint extension.
Section 4.2 says:

   At a minimum, applications conforming to this profile MUST recognize
   the extensions which must or may be critical in this specification.
   These extensions are:  .... basic constraints (see sec. 4.2.1.10) ....

begin:vcard 
n:Litvin;Moshe
tel;fax:+972 3 5759256
tel;work:+972 3 7534601
x-mozilla-html:TRUE
org:Check Point Software Technologies Ltd.
adr:;;;;;;
version:2.1
email;internet:moshe@CheckPoint.com
fn:Moshe Litvin
end:vcard