[127456] in cryptography@c2.net mail archive
Re: Strength in Complexity?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Sat Jul 5 13:21:41 2008
From: Florian Weimer <fw@deneb.enyo.de>
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Cc: perry@piermont.com, cryptography@metzdowd.com
Date: Sat, 05 Jul 2008 01:42:02 +0200
In-Reply-To: <E1KEB4o-0008RH-BU@wintermute01.cs.auckland.ac.nz> (Peter
Gutmann's message of "Thu, 03 Jul 2008 10:45:26 +1200")
* Peter Gutmann:
> [1] Show of hands, how many people here not directly involved with X.509 work
> knew that the spec required that all extensions in CA root certificates
> ("trust anchors" in recent X.509 jargon) be ignored by an implementation?
> So if you put in name constraints, key usage constraints, a policy
> identifier, etc, then a conforming implementation is supposed to look at
> them, throw them away, and proceed as if they weren't there?
Are you sure that the constraints are not supposed to be applied when
the root certificate is actually processed, after its signature has been
verified by the trust anchor?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
