[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CA vs. EE cert processing

To: "'ietf-pkix@xxxxxxx '" <ietf-pkix@xxxxxxx>, "'Russ Housley '" <housley@xxxxxxxxxx>
Subject: RE: CA vs. EE cert processing
From: Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 17 Apr 1999 15:30:17 +1000
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Russ.

I aboslutely agree that the Profile should say that if the Ext BC is not
there OR it is there with a NULL then its an EE cert - but this does not
text define usage - which is the critical part.

And the SHALL NOT bit and the fuzzy words of 2119 just leave curiosity.

It would be nice if the para with SHALL NOT in is replaced with words
like.
"If the BC extension is not present or set to a NULL then the
certificate belongs to an EE and MUST NOT be used by the certificate
using system to verify the signature of a certificate." 

All done, precise, no indirection to other text which is fuzzy.

regards alan

----------
From: Russ Housley
To: ietf-pkix@imc.org
Sent: 4/16/99 4:32:32 AM
Subject: RE: CA vs. EE cert processing

I have kept quiet on this thread.  I cannot hold it in any longer.

RFC 2459 has no ambiguity in this area.  If basicConstraints is present,
then the cA boolean tells whether the certificate belongs to a CA or an
EE.
 If basicConstraints is absent, then the certificate belongs to an EE.
Period.

If an implementor wishes to support other profiles in addition to RFC
2459,
then the logic may be more complex.  Fine.  This was a market choice
made
by the implementor.

I do not think that RFC 2459 should be altered to make support for
multiple
profiles easier.

Russ

Prev by Date: Re: New proposed solution to the QC biometric issue
Next by Date: Re: CA vs. EE cert processing
Previous by thread: Re: CA vs. EE cert processing
Next by thread: RE: CA vs. EE cert processing
Index(es):
- Date
- Thread