support for v1 certificates?

[Brian Korver <briank@xythos.com>]

Re: draft-ietf-ipsec-pki-profile-01.txt

On Wednesday, November 13, 2002, at 08:41 AM, Housley, Russ wrote:
>>> In section 4.1.1, I agree that v3 certificates should be required 
>>> for end entity and CA certificates.  However, the same code will 
>>> likely be used for several purposes, and one of them is trust 
>>> anchors.
>>> Self-signed v1 certificates are often used to establish trust 
>>> anchors.
>>
>> 3280 mandates that BasicConstraints appear in CA certificates, but
>> doesn't appear to state that a self-signed trust anchor can
>> be treated differently.  3280 does state the following:
>>
>>    When the trust anchor is provided in the form of a self-signed
>>    certificate, this self-signed certificate is not included as part 
>> of
>>    the prospective certification path.
>>
>> However, without going back and examining the validation algorithm,
>> it's difficult to know what this means with regards to BC.
>>
>> In the context of IPsec, do we see many v1 certificates used for this
>> purpose?  I kinda thought that v1 certificates were a dying breed.
>
> Management of trust anchors is outside the scope of the validation 
> algorithm in RFC 3280.  If self-signed certificates are used, the 
> algorithm will not validate them.  They are not part of the 
> certification path.
>
> I would like to see v1 certificates go away too.  I do not think it 
> will happen soon.  For example, there are several v1 certificates 
> built in to Internet Explorer that will not expire until 2018.  Others 
> will not expire until 2028.  So, if the IPsec certificates chain to 
> these trust anchors, one can expect to encounter the situation that I 
> raised.

I'm not sure it is a good thing to be chaining to the v1
certificates in Internet Explorer, but that's perhaps a
different issue.  :)

That said, if someone supports v3, v1 basically comes
for free.

Does anyone care whether support for v1 is optional
vs. mandatory?

-brian
briank@xythos.com