test suite certs don't follow some RFC3280 MUSTs

Subject: test suite certs don't follow some RFC3280 MUSTs
From: Sam Roberts <sroberts@certicom.com>
Date: Tue, 2 Sep 2003 14:35:43 -0400
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=us-ascii
User-Agent: Mutt/1.5.0i


When running the cert chains through our validator, we found that CA
certificates lack the Key Usage extension (which must be present), and
that Basic Constraints are not always critical.

Thanks for the great work on the test suite, it was quite useful.

Cheers,
Sam

>From RFC3280:

4.2.1.3  Key Usage

  ...

	This extension MUST appear in certificates that contain public keys
	that are used to validate digital signatures on other public key
	certificates or CRLs.


4.2.1.10  Basic Constraints

  ...

	This extension MUST appear as a critical extension in all CA
	certificates that contain public keys used to validate digital
	signatures on certificates.


-- 
Sam Roberts <sroberts@certicom.com>

Follow-Ups:
- Re: test suite certs don't follow some RFC3280 MUSTs
  - From: "David A. Cooper" <david.cooper@nist.gov>

Prev by Date: Re: Licensing question
Next by Date: Re: test suite certs don't follow some RFC3280 MUSTs
Prev by thread: NIST servers down
Next by thread: Re: test suite certs don't follow some RFC3280 MUSTs

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov