RE: Test case 4.6.4

Subject: RE: Test case 4.6.4
From: "Horvath, Tom" <tom.horvath@baesystems.com>
Date: Wed, 16 Feb 2005 09:38:04 -0500
content-class: urn:content-classes:message
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="us-ascii"
Thread-Index: AcUTr+ST5tsyZF5DTFmjzIH/KZbxywAgj3ng
Thread-Topic: Test case 4.6.4


Evik,

It is true that this test does not comply with PKIX, however PKIX and
X.509 do not agree completely on the criticality of the basic
constraints extension. PKIX is more restrictive. If you read section 4.6
of the PKITS data description document, which I have included below, we
clearly state that we are adhering to X.509 and not PKIX in this test
case: 

4.6 Verifying Basic Constraints
The tests in this section can be used to determine if an application
properly processes the basicConstraints extension as specified in X.509:

[X.509 8.4.2.1] If [the basicConstraints] extension is present and is
flagged critical, or is flagged non-critical but is recognized by the
certificate-using system, then:

- if the value of cA is not set to true then the certified public key
shall not be used to verify a certificate signature;
- if the value of cA is set to true and pathLenConstraint is present
then the certificate-using system shall check that the certification
path being processed is consistent with the value of pathLenConstraint.

NOTE 1 - If this extension is not present, or is flagged non-critical
and is not recognized by a certificate-using system, then the
certificate is to be considered an end-entity certificate and cannot be
used to verify certificate signatures.

Thanks,

Tom Horvath
Principal Security Systems Engineer
_______________________________
BAE SYSTEMS Information Technology
141 National Business Pkwy. Suite 210
Annapolis Junction, MD 20701

tom.horvath@baesystems.com
(301) 939-2728

-----Original Message-----
From: pkits@nist.gov [mailto:pkits@nist.gov] On Behalf Of evik
Sent: Tuesday, February 15, 2005 5:42 PM
To: Multiple recipients of list
Subject: Test case 4.6.4


Hi

I have a problem with test case 
4.6.4 Valid basicConstraints Not Critical Test4

It states that the CA certificate contains the basicConstraints
extension, the cA component is true, but the extension is marked not
critical.

In rfc3280 point 4.2.1.10 page 36 states this about basicConstraints:

 This extension MUST appear as a critical extension in all CA
 certificates that contain public keys used to validate digital
 signatures on certificates.  This extension MAY appear as a
 critical or non-critical extension in CA certificates that contain
 public keys used exclusively for purposes other than validating
 digital signatures on certificates.  Such CA certificates
 include ones that contain public keys used exclusively for validating
 digital signatures on CRLs and ones that contain key
 management public keys used with certificate enrollment protocols.
 This extension MAY appear as a critical or non-critical
 extension in end entity certificates.

>From this paragraph the first sentence is important.
It clearly states that this extension MUST appear and MUST be marked as
critical in CA certificates used for signing certificates. For this
reason I think that the expected result for test case 4.6.4 should be:
The path should NOT validate successfully because the extension is
marked non critical.

evik

Prev by Date: Test case 4.6.4
Next by Date: Re: Test case 4.6.4
Prev by thread: Re: Test case 4.6.4
Next by thread: How to use the certpair files?

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov