Re: test suite certs don't follow some RFC3280 MUSTs

["David A. Cooper" <david.cooper@nist.gov>]

Sam Roberts wrote:

>When running the cert chains through our validator, we found that CA
>certificates lack the Key Usage extension (which must be present), and
>that Basic Constraints are not always critical.
>

Sam,

There is at least one test in section 4.6 (Verifying Basic Constraints) 
in which the basic constraints extension is intentionally set 
non-critical.  While RFC 3280 requires that this extension be critical, 
that is a generation requirement.  Clients should be able to process the 
extension even if it is non-critical.

I could not find any certificates in which the key usage extension was 
not present.  However, there are some tests in section 4.7 (Key Usage) 
in which an intermediate certificate includes a key usage extension with 
either the keyCertSign or cRLSign bit set to false.  In such tests, 
however, the paths should be considered invalid as a result of this.

Were there any examples of the problems that you mention above in which 
the contents of the certificates did not seem in line with the 
description of the tests that use the certificates?  If so, could you 
give me a specific example of such a certificate?

Thanks,

Dave