x509 v1 certificate

Kazu Yamamoto ( 山本和彦 ) kazu at iij.ad.jp
Mon Sep 25 12:52:28 CEST 2006

From: Werner Koch <wk at gnupg.org>
Subject: Re: x509 v1 certificate

> Whey saying "all certificates issued by a CA" this obviously includes
> the root certitificate because that one has been issued by the CA too.
> Whether it is self-signed or not does not matter.

During verification, a root certificate is NOT a certificate, but
trusted anchor. This is a point.

We can obtain trusted anchor from *anything*, even from something
which is not a root certificate. Again, practically speaking, this
information is extracted from the root certificate.  But the root
certificate is not treated as a certificate.

How to verify root certificate is outside scope of the Section 6.


More information about the Gnupg-devel mailing list