x509 v1 certificate
Werner Koch
wk at gnupg.org
Mon Sep 25 16:07:56 CEST 2006
Hi,
I found this reference (ISIS_MTT, Part 5, Table 2, Column 3 - Pseudo
code for ValidateCertificate):
if( tbvCert.certType != EndEntityAC )
{
if( tbvCert.KeyUsagePresent()==false )
return false;
if( CheckKeyUsage( tbvCert, intendedKeyUsage )==false )
return false;
}
It is practical to check at this early stage whether the certificate
is authorized for the intended key usage indicated in parameter
intendedKeyUsage. Permitted key uses are indicated in the KeyUsage
and the ExtendedKeyUsage extensions of tbvCert. CA certificates
(i.e. CA-, root-CA- and cross-certificates) MUST furthermore contain
! ^^^^^^^^
the BasicConstraints extension and MUST have the cA-flag set. If the
intended usage is not permitted, ValidatCertificate() returns false.
ISIS-MTT PROFILE: Note that the KeyUsage extension MUST be present
in all PKCs and is always critical (P1.T12.[1]).
Where BasicContraints are explictly required for root certificates.
Well, this is what we had to implement in gpgsm. As said, there are
so many profiles and all want to be compatible to each other.
Shalom-Salam,
Werner
More information about the Gnupg-devel
mailing list