Strength in Complexity?

Florian Weimer fw at deneb.enyo.de
Fri Jul 4 19:42:02 EDT 2008


* Peter Gutmann:

> [1] Show of hands, how many people here not directly involved with X.509 work
>     knew that the spec required that all extensions in CA root certificates
>     ("trust anchors" in recent X.509 jargon) be ignored by an implementation?
>     So if you put in name constraints, key usage constraints, a policy
>     identifier, etc, then a conforming implementation is supposed to look at
>     them, throw them away, and proceed as if they weren't there?

Are you sure that the constraints are not supposed to be applied when
the root certificate is actually processed, after its signature has been
verified by the trust anchor?

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list