x509 v1 certificate
ARIGA Seiji
ariga at os.rim.or.jp
Thu Sep 21 08:00:50 CEST 2006
On Wed, 20 Sep 2006 14:21:04 +0200,
Werner Koch <wk at gnupg.org> wrote,
> > hmm. let me ask one more. output below is from "gpgsm -kv". you can see
> > "[error: No value]" at "key usage:" and "chain length:" field (which,
> > i think, is in x509 extension field that x509 version 1 cert doesn't
> > have). isn't this the same error i got when i run "gpgsm --verify" ?
>
> Yes. I have now looked at the certificate. The problematic part in
> the chain is the root certificate:
[...]
> As you rightfully noticed, the keyUsage is missing and gpgsm flags
> this as an error. However, PKIX (rfc3280) says:
[...]
> The missing basicContraints ("chainLength" above) is another reason
> why this certificate is not valid (rfc3280, 4.2.1.10):
[...]
> The question whether version 1 is supported is thus non-relevant
> because we are validating certificates. In this case PKIX requires
> extensions and following from that version should be 3 as per 4.1.2.1.
[...]
> The question now is how we can support these root certificates. An
> option to bypass the failing checks would be an appropriate way.
yeah, i totally agree with you.
> I am currently investigating how we can completely support qualified
> signatures according to the German law. This might require a mechanism
> to allow certain exceptions.
i'll be appreciated if you can find a way to support it.
FYI, "Internet Explorer 6.0 SP2" has 115 root certificates (though
this includes some of my private root certs), and 44 certs are v1
cert. the problem, i think, is that VeriSign's, one of the most
popular CA, certs are all version 1 ...
// ARIGA Seiji
More information about the Gnupg-devel
mailing list