[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: support for v1 certificates?
Brian:
> > >That said, if someone supports v3, v1 basically comes
> > >for free.
> >
> > Not really. With v1 certificates, you cannot have the basic constraints
> > extension. That was the point that started this thread.
>
>I meant "basically free" in the sense that very little additional
>implementation work necessary.
>
>
> > >Does anyone care whether support for v1 is optional
> > >vs. mandatory?
> >
> > I do not see a need for v1 certificates in general. That is why I
> > suggested breaking the discussion into two parts. One part should address
> > trust anchors. In this area, v1 should be permitted. The other part
> > should address the certification path, which terminates at the trust
> > anchor, but does not include the trust anchor itself. In this area, v3
> > should be mandated.
>
>I'm not sure how that differs from saying that possibly any
>CA certificate -- any that is a trust anchor by local policy --
>can be a v1 certificate.
>
>Let's say host A has chain CA1->CA2->EEA while host B
>has chain CA2->EEB (CA2 is the trust anchor for B).
>If CA2 is a trust anchor, then are you saying that CA2
>should be permitted to be a v1 cert?
NO!
I am suggesting that a discussion of trust anchors is needed. The use of
v1 certs to install a trust anchor is reasonable.
If the cert is transmitted in IKE, then it ought to be a v3 cert.
Russ