x509 v1 certificate

Kazu Yamamoto ( 山本和彦 ) kazu at iij.ad.jp
Mon Sep 25 02:35:26 CEST 2006


> The missing basicContraints ("chainLength" above) is another reason
> why this certificate is not valid (rfc3280,
>    This extension MUST appear as a critical extension in all CA
>    certificates that contain public keys used to validate digital
>    signatures on certificates.  [...]
> The question whether version 1 is supported is thus non-relevant
> because we are validating certificates.  In this case PKIX requires
> extensions and following from that version should be 3 as per

I have asked this to a specialist of X.509 and he said that Werner's
interpretation is not correct.

Yes, RFC3280 is not readable but the "certificates" in Section 4
refers "intermediate" CA's ones only, dos not refer to root CA's ones.

Please read Section 6 carefully. First, trusted anchor is to be set.
Practically speaking, the trusted anchor is taken from a root CA's
certificate. But it is trusted anchor, not certificate in the
varification algorithm.

Thus the root CA's certificate is NOT treated as a certificate, thus
it need not include the extensions above. It's OK even if the root
CA's certificate is v1.

Intermediated CA's certificates are treated as certificates. Since
they MUST include the extensions above, it MUST be v3.

--Kazu Yamamoto

More information about the Gnupg-devel mailing list