[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: support for v1 certificates?
"Housley, Russ" wrote:
> >That said, if someone supports v3, v1 basically comes
> >for free.
>
> Not really. With v1 certificates, you cannot have the basic constraints
> extension. That was the point that started this thread.
I meant "basically free" in the sense that very little additional
implementation work necessary.
> >Does anyone care whether support for v1 is optional
> >vs. mandatory?
>
> I do not see a need for v1 certificates in general. That is why I
> suggested breaking the discussion into two parts. One part should address
> trust anchors. In this area, v1 should be permitted. The other part
> should address the certification path, which terminates at the trust
> anchor, but does not include the trust anchor itself. In this area, v3
> should be mandated.
I'm not sure how that differs from saying that possibly any
CA certificate -- any that is a trust anchor by local policy --
can be a v1 certificate.
Let's say host A has chain CA1->CA2->EEA while host B
has chain CA2->EEB (CA2 is the trust anchor for B).
If CA2 is a trust anchor, then are you saying that CA2
should be permitted to be a v1 cert?
-brian
briank@xythos.com