The material below is from RFC 2632.
Seems to me that the statements about end-entity certificates
in the last two paragraphs conflict with each other.
One says that end-entity certificates contain a basicConstraints
extension
and another says they shouldn't.
Maybe I misunderstood those statements.
Could anyone please enlighten me on the subject?
Many thanks.
++++++++++++++++++++++++++++++++++++++++++++++
4.4.1 Basic Constraints Certificate Extension
The basic constraints extension serves to delimit the role and
position of an issuing authority or end-entity certificate plays in a
chain of certificates.
For example, certificates issued to CAs and subordinate CAs contain a
basic constraint extension that identifies them as issuing authority
certificates. End-entity certificates contain an extension that
constrains the certificate from being an issuing authority
certificate.
Certificates SHOULD contain a basicConstraints extension in CA
certificates, and SHOULD NOT contain that extension in end entity
certificates.
--
---------------------------------------
Gwangsoo Rhee <rhee(_at_)sookmyung(_dot_)ac(_dot_)kr>
Sookmyung University, Korea
tel: +82-2-710-9429 fax: 710-9296
---------------------------------------