x509 v1 certificate

Simon Josefsson jas at extundo.com
Thu Sep 21 17:00:22 CEST 2006

Werner Koch <wk at gnupg.org> writes:

> As you rightfully noticed, the keyUsage is missing and gpgsm flags
> this as an error.  However, PKIX (rfc3280) says:
>    This extension MUST appear in certificates that contain public keys
>    that are used to validate digital signatures on other public key
>    certificates or CRLs.  When this extension appears, it SHOULD be
>    marked critical.
> Other profiles (e.g. ISIS-MTT) state it even more clear.

Although RFC 3280 goes on to say in section 6 that:

      (n)  If a key usage extension is present, verify that the
      keyCertSign bit is set.

The interpretation I've made is that while the CA certificate does not
conform to RFC 3280, a certificate chain verifier that conform to RFC
3280 can accept certificates that lack a key usage extension.

It would be nice if the specifications were a bit clearer on this
matter...  (GnuTLS do accept CA certificates that lack the key usage


More information about the Gnupg-devel mailing list