Re: Test case 4.6.4

Subject: Re: Test case 4.6.4
From: Sam Roberts <sroberts@certicom.com>
Date: Wed, 16 Feb 2005 10:47:21 -0500
Content-Disposition: inline
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <42136255.9020005@nist.gov>
References: <20050215224008.GC23875@mail.chaos.hu> <42136255.9020005@nist.gov>
User-Agent: Mutt/1.5.0i


Wrote "David A. Cooper" <david.cooper@nist.gov>, on Wed, Feb 16, 2005 at 10:14:48AM -0500:
> 
> Evik,
> 
> This is really just a case where RFC 3280 needed to be more carefully 
> worded.

[snip]

> We are working to make this more clear in 3280bis.  For example, in the 
> initial draft of 3280bis, the basicConstraints section states:
> 
>   This extension MUST appear in all CA certificates that contain public
>   keys used to validate digital signatures on certificates.  Conforming
>   CAs MUST mark the extension as critical in such certificates.
> 
> The idea is to make it more clear in 3280bis when a requirement only 
> applies to conforming CAs or only applies to conforming applications.

Thats a great idea. The above text isn't enough to make that clear, imo.

I suggest strongly that you add a paragraph to the path validation
section stating clearly that path validation SHOULD NOT include checks
to confirm that the certificates in the path were generated by a
PKIX-conformant CA, along with a short description of why - like your
explanation above.

I've seen this error in 3 or 4 PKI toolkits.  I've also had fierce
arguments with people over why its an interop problem to consider paths
invalid when the generation "must"s weren't obeyed, and had to point
them to email from you...

Putting background info into 3280bis would be a great help.

Cheers,
Sam


> Dave
> 
> evik wrote:
> 
> >Hi
> >
> >I have a problem with test case 
> >4.6.4 Valid basicConstraints Not Critical Test4
> >
> >It states that the CA certificate contains the basicConstraints
> >extension, the cA component is true, but the extension is marked not
> >critical.
> >
> >In rfc3280 point 4.2.1.10 page 36 states this about basicConstraints:
> >
> >This extension MUST appear as a critical extension in all CA
> >certificates that contain public keys used to validate digital
> >signatures on certificates.  This extension MAY appear as a
> >critical or non-critical extension in CA certificates that contain
> >public keys used exclusively for purposes other than validating
> >digital signatures on certificates.  Such CA certificates
> >include ones that contain public keys used exclusively for validating
> >digital signatures on CRLs and ones that contain key
> >management public keys used with certificate enrollment protocols.
> >This extension MAY appear as a critical or non-critical
> >extension in end entity certificates.
> >
> >From this paragraph the first sentence is important.
> >It clearly states that this extension MUST appear and MUST be marked as
> >critical in CA certificates used for signing certificates. For this
> >reason I think that the expected result for test case 4.6.4 should be:
> >The path should NOT validate successfully because the extension is
> >marked non critical.
> >
> >evik
> >

-- 
Sam Roberts <sroberts@certicom.com>

References:
- Test case 4.6.4
  - From: evik <evik@mail.chaos.hu>
- Re: Test case 4.6.4
  - From: "David A. Cooper" <david.cooper@nist.gov>

Prev by Date: Re: Test case 4.6.4
Next by Date: X.509 path discovery test suite
Prev by thread: Re: Test case 4.6.4
Next by thread: RE: Test case 4.6.4

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov