David P. Kemp wrote:
Blake,
Thanks for clarifying the requirement to support certificates
without email addresses.
Comments:
1. Section 2.3 para 4: "Agents MAY send CA certificates, that is,
certificates that are self-signed and can be considered the "root"
of other chains." This incorrectly implies that the only kind
of CA cert is the self-signed kind. Suggest "Agents MAY send
CA certificates that are self-signed and ..."
2. Section 4.4 paragraph 2: Why must sending and receiving
agents correctly handle the listed extensions only when they
appear in end-entity certificates? Suggest that sending and
receiving agents MUST correctly (i.e. in accordance with RFC 3280)
handle the basic constraints, key usage, AKI, SKI, and SAN extensions
in end-entity *and CA* certificates.
3. Section 4.4.1 paragraph 3: "Certificates SHOULD contain a
basicConstraints extension in CA certificates and SHOULD NOT contain
that extension in end entity certificates." In order to avoid
inconsistency with PKIX, change to "Certificates MUST contain a
basicConstraints extension in CA certificates and SHOULD NOT contain
that extension in end entity certificates." In other words, a
sending and receiving agent is non-compliant if it accepts
a v3 certificate without the basicConstraints extension as a CA
certificate.
Dave
Dave,
I think the 1st and 3rd comments are editorial, but the 2nd corrects
something that was wrong. I hope that implementors didn't just handle
the extensions in EE certs but instead did the right thing and handled
the extensions in CA certs as per 3280.
spt