x509 v1 certificate
Simon Josefsson
jas at extundo.com
Thu Sep 21 17:00:22 CEST 2006
Werner Koch <wk at gnupg.org> writes:
> As you rightfully noticed, the keyUsage is missing and gpgsm flags
> this as an error. However, PKIX (rfc3280) says:
>
> This extension MUST appear in certificates that contain public keys
> that are used to validate digital signatures on other public key
> certificates or CRLs. When this extension appears, it SHOULD be
> marked critical.
>
> Other profiles (e.g. ISIS-MTT) state it even more clear.
Although RFC 3280 goes on to say in section 6 that:
(n) If a key usage extension is present, verify that the
keyCertSign bit is set.
The interpretation I've made is that while the CA certificate does not
conform to RFC 3280, a certificate chain verifier that conform to RFC
3280 can accept certificates that lack a key usage extension.
It would be nice if the specifications were a bit clearer on this
matter... (GnuTLS do accept CA certificates that lack the key usage
extension.)
/Simon
More information about the Gnupg-devel
mailing list