Paul,
Paul Hoffman wrote:
It seems to me also that a self-signed certificate marked as a trust anchor,
ie. a root, probably shouldn't have an AIA extension.
Wait. No kind of certificate is marked as a trust anchor. I assume you probably me
"root" as in a self-signed cert with the CA bit turned on.
I meant marked as a trust anchor in the NSS certificate database.
At least it wouldn't make much sense for it to point to any OCSP responder,
since the root cannot revoke itself - there is no one above the root to revoke
it.
Correct, but don't forget that the AIA has two uses. It is quite reasonable for
a root to have an AIA extension with id-ad-caIssuers.
I am aware of that, but I was thinking about it in the context of OCSP only.
Perhaps these are not really roots .
Tell that to VeriSign. Here is the dump of the extensions take from their cert
taken from the Firefox root pile:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
F1:5A:89:93:55:47:4B:BA:51:F5:4E:E0:CB:16:55:F4:D7:CC:38:67
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://EVIntl-crl.verisign.com/EVIntl2006.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.6
CPS: https://www.verisign.com/rpa
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication,
Netscape Server Gated Crypto, Microsoft Server Gated Crypto
X509v3 Authority Key Identifier:
keyid:4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF
Authority Information Access:
OCSP - URI:http://EVIntl-ocsp.verisign.com
CA Issuers - URI:http://EVIntl-aia.verisign.com/EVIntl2006.cer
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
What was the subject and issuer for that certificate ? Was it self-issued ?
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto