x509 v1 certificate

ARIGA Seiji ariga at os.rim.or.jp
Thu Sep 21 08:00:50 CEST 2006


On Wed, 20 Sep 2006 14:21:04 +0200,
Werner Koch <wk at gnupg.org> wrote,

> > hmm. let me ask one more. output below is from "gpgsm -kv". you can see
> > "[error: No value]" at "key usage:" and "chain length:" field (which,
> > i think, is in x509 extension field that x509 version 1 cert doesn't
> > have). isn't this the same error i got when i run "gpgsm --verify" ?
> 
> Yes.  I have now looked at the certificate.  The problematic part in
> the chain is the root certificate:
[...]
> As you rightfully noticed, the keyUsage is missing and gpgsm flags
> this as an error.  However, PKIX (rfc3280) says:
[...]
> The missing basicContraints ("chainLength" above) is another reason
> why this certificate is not valid (rfc3280, 4.2.1.10):
[...]
> The question whether version 1 is supported is thus non-relevant
> because we are validating certificates.  In this case PKIX requires
> extensions and following from that version should be 3 as per 4.1.2.1.
[...]
> The question now is how we can support these root certificates.  An
> option to bypass the failing checks would be an appropriate way.

yeah, i totally agree with you.

> I am currently investigating how we can completely support qualified
> signatures according to the German law.  This might require a mechanism
> to allow certain exceptions.

i'll be appreciated if you can find a way to support it.

FYI, "Internet Explorer 6.0 SP2" has 115 root certificates (though
this includes some of my private root certs), and 44 certs are v1
cert. the problem, i think, is that VeriSign's, one of the most
popular CA, certs are all version 1 ...

// ARIGA Seiji



More information about the Gnupg-devel mailing list