x509 v1 certificate
Kazu Yamamoto ( 山本和彦 )
kazu at iij.ad.jp
Mon Sep 25 12:52:28 CEST 2006
From: Werner Koch <wk at gnupg.org>
Subject: Re: x509 v1 certificate
> Whey saying "all certificates issued by a CA" this obviously includes
> the root certitificate because that one has been issued by the CA too.
> Whether it is self-signed or not does not matter.
During verification, a root certificate is NOT a certificate, but
trusted anchor. This is a point.
We can obtain trusted anchor from *anything*, even from something
which is not a root certificate. Again, practically speaking, this
information is extracted from the root certificate. But the root
certificate is not treated as a certificate.
How to verify root certificate is outside scope of the Section 6.
More information about the Gnupg-devel