ietf-smime
[Top] [All Lists]

RE: Question on basicConstraints from RFC 2632

2000-09-11 01:43:56
Gwangsoo Rhee,

The last paragraph states that an end-entity certificate SHOULD NOT contain
a basic contraints extension, it doesn't say that it MUST NOT contain one.
As a consequence, an end-entity certificate MAY contain a basic contraints
extension, and it if it does the semantic meaning of that extension is as
described in the first paragraph.

This is a typical example of the standard providing a discretionary
recommendation rather than a mandatory instruction.  In this case it is
quite right and proper, and aids interoperability.  It follows the usual aim
of IETF standards in being precise in what you send, but flexible in what
you receive.

Hope this helps,

Darren
---------------------------------------------------------------------
Darren Harter B.Sc. (Hons) MBCS CEng
European Professional Services Group,
Entegrity Solutions Corp.


-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Gwangsoo 
Rhee
Sent: 11 September 2000 06:51
To: ietf-smime(_at_)imc(_dot_)org
Subject: Question on basicConstraints from RFC 2632


The material below is from RFC 2632.
Seems to me that the statements about end-entity certificates
in the last two paragraphs conflict with each other.
One says that end-entity certificates contain a basicConstraints
extension
and another says they shouldn't.
Maybe I misunderstood those statements.
Could anyone please enlighten me on the subject?

Many thanks.

++++++++++++++++++++++++++++++++++++++++++++++

4.4.1 Basic Constraints Certificate Extension

   The basic constraints extension serves to delimit the role and
   position of an issuing authority or end-entity certificate plays in a

   chain of certificates.

   For example, certificates issued to CAs and subordinate CAs contain a

   basic constraint extension that identifies them as issuing authority
   certificates. End-entity certificates contain an extension that
   constrains the certificate from being an issuing authority
   certificate.

   Certificates SHOULD contain a basicConstraints extension in CA
   certificates, and SHOULD NOT contain that extension in end entity
   certificates.

--

---------------------------------------
Gwangsoo Rhee <rhee(_at_)sookmyung(_dot_)ac(_dot_)kr>
Sookmyung University, Korea
tel: +82-2-710-9429  fax: 710-9296
---------------------------------------


<Prev in Thread] Current Thread [Next in Thread>