[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: support for v1 certificates?



Brian:

> > >That said, if someone supports v3, v1 basically comes
> > >for free.
> >
> > Not really.  With v1 certificates, you cannot have the basic constraints
> > extension.  That was the point that started this thread.
>
>I meant "basically free" in the sense that very little additional
>implementation work necessary.
>
>
> > >Does anyone care whether support for v1 is optional
> > >vs. mandatory?
> >
> > I do not see a need for v1 certificates in general.  That is why I
> > suggested breaking the discussion into two parts.  One part should address
> > trust anchors.  In this area, v1 should be permitted.  The other part
> > should address the certification path, which terminates at the trust
> > anchor, but does not include the trust anchor itself. In this area, v3
> > should be mandated.
>
>I'm not sure how that differs from saying that possibly any
>CA certificate -- any that is a trust anchor by local policy --
>can be a v1 certificate.
>
>Let's say host A has chain CA1->CA2->EEA while host B
>has chain CA2->EEB (CA2 is the trust anchor for B).
>If CA2 is a trust anchor, then are you saying that CA2
>should be permitted to be a v1 cert?

NO!

I am suggesting that a discussion of trust anchors is needed.  The use of 
v1 certs to install a trust anchor is reasonable.

If the cert is transmitted in IKE, then it ought to be a v3 cert.

Russ