x509 v1 certificate

Werner Koch wk at gnupg.org
Mon Sep 25 16:07:56 CEST 2006


I found this reference (ISIS_MTT, Part 5, Table 2, Column 3 - Pseudo
code for ValidateCertificate):

  if( tbvCert.certType != EndEntityAC )
    if( tbvCert.KeyUsagePresent()==false )
      return false;
    if( CheckKeyUsage( tbvCert, intendedKeyUsage )==false )
      return false;
  It is practical to check at this early stage whether the certificate
  is authorized for the intended key usage indicated in parameter
  intendedKeyUsage. Permitted key uses are indicated in the KeyUsage
  and the ExtendedKeyUsage extensions of tbvCert. CA certificates
  (i.e. CA-, root-CA- and cross-certificates) MUST furthermore contain
!             ^^^^^^^^
  the BasicConstraints extension and MUST have the cA-flag set. If the
  intended usage is not permitted, ValidatCertificate() returns false.
  ISIS-MTT PROFILE: Note that the KeyUsage extension MUST be present
  in all PKCs and is always critical (P1.T12.[1]).

Where BasicContraints are explictly required for root certificates.
Well, this is what we had to implement in gpgsm.  As said, there are
so many profiles and all want to be compatible to each other.



More information about the Gnupg-devel mailing list