Re: support for v1 certificates?

[Brian Korver <briank@briank.com>]

"Housley, Russ" wrote:
> >That said, if someone supports v3, v1 basically comes
> >for free.
> 
> Not really.  With v1 certificates, you cannot have the basic constraints
> extension.  That was the point that started this thread.

I meant "basically free" in the sense that very little additional
implementation work necessary.


> >Does anyone care whether support for v1 is optional
> >vs. mandatory?
> 
> I do not see a need for v1 certificates in general.  That is why I
> suggested breaking the discussion into two parts.  One part should address
> trust anchors.  In this area, v1 should be permitted.  The other part
> should address the certification path, which terminates at the trust
> anchor, but does not include the trust anchor itself. In this area, v3
> should be mandated.

I'm not sure how that differs from saying that possibly any
CA certificate -- any that is a trust anchor by local policy --
can be a v1 certificate.  

Let's say host A has chain CA1->CA2->EEA while host B
has chain CA2->EEB (CA2 is the trust anchor for B).
If CA2 is a trust anchor, then are you saying that CA2
should be permitted to be a v1 cert?

-brian
briank@xythos.com