x509 v1 certificate

Werner Koch wk at gnupg.org
Mon Sep 25 12:31:00 CEST 2006

On Mon, 25 Sep 2006 10:58, Simon Josefsson said:

> However, I do agree with you, and a perfectly reasonable
> interpretation is that CA certificates (including root CAs) MUST have
> key usage extensions, but a conforming verifier of certificates chains
> should permit certificates without key usage extensions.  This is also

But not without BasicConstraints.  I just looked at the test
specification we had to pass and they clearly state that all CA
certificates (including the root CA certificate) are required to carry
a BasicConstraints.

Whey saying "all certificates issued by a CA" this obviously includes
the root certitificate because that one has been issued by the CA too.
Whether it is self-signed or not does not matter.



More information about the Gnupg-devel mailing list