Re: test suite certs don't follow some RFC3280 MUSTs

Subject: Re: test suite certs don't follow some RFC3280 MUSTs
From: Sam Roberts <sroberts@certicom.com>
Date: Mon, 8 Sep 2003 10:09:57 -0400
Content-Disposition: inline
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <3F5909C6.8030207@nist.gov>
References: <3F54FD20.1070102@nist.gov> <20030902183543.GA26270@certicom.com> <3F54FD20.1070102@nist.gov> <5.1.0.14.2.20030904164933.04589528@email.nist.gov> <20030905144039.GA4973@certicom.com> <3F5909C6.8030207@nist.gov>
User-Agent: Mutt/1.5.0i


Wrote "David A. Cooper" <david.cooper@nist.gov>, on Fri, Sep 05, 2003 at 06:10:14PM -0400:
> >Even in the most recent certs, basic constraints isn't critical, and
> >key usage is missing, so the certs don't serve as an example of a cert
> >that follows the RFC3280 generation requirements (even though that
> >doesn't affect the cert path processing).
> 
> As I said before, I could not find an example of a certificate that does 
> not include a key usage extension.  Even the self-signed trust anchor 
> certificate includes critical key usage and basic constraints extensions 
> (at the end of this message is a printout of the trust anchor 
> certificate that was generated using OpenSSL).

I thought that that the "X.509 Path Validation Test Suite, Version 1.07"
was the most recent version of the the "Public Key Interoperability Test
Suite", with PKITS_data.zip in a form best-suited for loading into an
LDAP server, and x509tests.zip being arranged as a set of stand-alone
tests.

> >>I re-checked 3280 and you are correct that the text of 3280 requires 
> >>inclusion of these extensions, even in a trust anchor certificate.  I am 
> >>trying to remember why; I believe that many implementations reject trust 
> >>anchor certificates that do not contain these extensions.

>    When the trust anchor is provided in the form of a self-signed
>    certificate, this self-signed certificate is not included as part
>    of the prospective certification path.

OK, they are required to be present, and required not to be used.

I didn't read this carefully enough before, I'll make sure we do this.

It would be interesting to see a test case for this, one with a trust
anchor as self-signed cert, and a key usage and basic constraints saying
the trust anchor cert is NOT a CA certificate. It should be a valid
path.

Thanks, and sorry for the confusion about the test suite versions.
Sam

-- 
Sam Roberts <sroberts@certicom.com>

References:
- Re: test suite certs don't follow some RFC3280 MUSTs
  - From: "David A. Cooper" <david.cooper@nist.gov>
- test suite certs don't follow some RFC3280 MUSTs
  - From: Sam Roberts <sroberts@certicom.com>
- Re: test suite certs don't follow some RFC3280 MUSTs
  - From: Tim Polk <tim.polk@nist.gov>
- Re: test suite certs don't follow some RFC3280 MUSTs
  - From: Sam Roberts <sroberts@certicom.com>
- Re: test suite certs don't follow some RFC3280 MUSTs
  - From: "David A. Cooper" <david.cooper@nist.gov>

Prev by Date: Re: test suite certs don't follow some RFC3280 MUSTs
Next by Date: NIST servers down
Prev by thread: Re: test suite certs don't follow some RFC3280 MUSTs
Next by thread: Licensing question

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov