Re: CA vs. EE cert processing

[Moshe Litvin <moshe@xxxxxxxxxxxxxxxxxxx>]

Russ,

Russ Housley wrote:

> I have kept quiet on this thread.  I cannot hold it in any longer.
>
> RFC 2459 has no ambiguity in this area.  If basicConstraints is present,
> then the cA boolean tells whether the certificate belongs to a CA or an EE.
>  If basicConstraints is absent, then the certificate belongs to an EE.  Period.

The term "ambiguity" is not the exact term. The problem is not ambiguity but
relying on out of band data. RFC 2459 is very clear as long as you know by out of
band data that the certificate was issued by RFC 2459 compliant CA.

>
>
> If an implementor wishes to support other profiles in addition to RFC 2459,
> then the logic may be more complex.  Fine.  This was a market choice made
> by the implementor.
>
> I do not think that RFC 2459 should be altered to make support for multiple
> profiles easier.

Why? do you think that whole world would choose adopt RFC 2459 and all the other
profiles (including the base X.509) will become obsolete?

Why would you force software designers to choose between two contradicting profiles
of the same standard when you can easily allow them to support both?

What is the compelling reason to prevent interpretability in that way?

Moshe
begin:vcard 
n:Litvin;Moshe
tel;fax:+972 3 5759256
tel;work:+972 3 7534601
x-mozilla-html:TRUE
org:Check Point Software Technologies Ltd.
adr:;;;;;;
version:2.1
email;internet:moshe@CheckPoint.com
fn:Moshe Litvin
end:vcard