[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
support for v1 certificates?
Re: draft-ietf-ipsec-pki-profile-01.txt
On Wednesday, November 13, 2002, at 08:41 AM, Housley, Russ wrote:
>>> In section 4.1.1, I agree that v3 certificates should be required
>>> for end entity and CA certificates. However, the same code will
>>> likely be used for several purposes, and one of them is trust
>>> anchors.
>>> Self-signed v1 certificates are often used to establish trust
>>> anchors.
>>
>> 3280 mandates that BasicConstraints appear in CA certificates, but
>> doesn't appear to state that a self-signed trust anchor can
>> be treated differently. 3280 does state the following:
>>
>> When the trust anchor is provided in the form of a self-signed
>> certificate, this self-signed certificate is not included as part
>> of
>> the prospective certification path.
>>
>> However, without going back and examining the validation algorithm,
>> it's difficult to know what this means with regards to BC.
>>
>> In the context of IPsec, do we see many v1 certificates used for this
>> purpose? I kinda thought that v1 certificates were a dying breed.
>
> Management of trust anchors is outside the scope of the validation
> algorithm in RFC 3280. If self-signed certificates are used, the
> algorithm will not validate them. They are not part of the
> certification path.
>
> I would like to see v1 certificates go away too. I do not think it
> will happen soon. For example, there are several v1 certificates
> built in to Internet Explorer that will not expire until 2018. Others
> will not expire until 2028. So, if the IPsec certificates chain to
> these trust anchors, one can expect to encounter the situation that I
> raised.
I'm not sure it is a good thing to be chaining to the v1
certificates in Internet Explorer, but that's perhaps a
different issue. :)
That said, if someone supports v3, v1 basically comes
for free.
Does anyone care whether support for v1 is optional
vs. mandatory?
-brian
briank@xythos.com