Xuelei Fan wrote:
>
>
> Weijun Wang wrote:
>> Maybe you can be even more strict: If the trust anchor (cert[0]) is
>> already v3, cert[1] must also be v3. Is this reasonable?
>>
>>
> Currently, the checker know nothing about the trust anchor. If we
> support above checking, we need to update the checker and let it know
> the trust anchor's certificate, it is a little bit complex. Trust anchor
> is not in the certification path, cert[0] is the cert directly issued by
> the trust anchor. So, maybe, it is reasonable, I don't think it worthy
> of too many changes.
Oh, that's OK.
I see 'if (i == 1)' so I thought there's a i == 0 cert somewhere.
Thanks
Max
>
> Thanks,
> Andrew
>
>> Max
>>
>> Xuelei Fan wrote:
>>
>>> Weijun Wang wrote:
>>>
>>>> Xuelei Fan wrote:
>>>>
>>>>
>>>>> Weijun Wang wrote:
>>>>>
>>>>>> + // We choose to reject all version 1 and version 2 intermediate
>>>>>> + // certificates except that it is self issued by the trust
>>>>>> + // anchor in order to support key rollover or changes in
>>>>>> + // certificate policies.
>>>>>> + int pathLenConstraint = -1;
>>>>>> + if (currCert.getVersion() < 3) { // version 1 or version 2
>>>>>> + if (i == 1) { // issued by a trust anchor
>>>>>>
>>>>>> So, self-issued cert can be only issued by trust anchor, but not an
>>>>>> intermediate CA?
>>>>>>
>>>>> No, self-issued cert can be issued by any entity, but I choose to
>>>>> reject
>>>>> those self-issued version 1 and version 2 certificates here, because I
>>>>> have no way to understand whether it is a CA or not.
>>>>>
>>>> One question: what's the version of the trust anchor in the failed
>>>> test?
>>>> Is it v1?
>>>>
>>>>
>>> It is V1, and issue a self-issued V1 certificate for renew the private
>>> key, so there is a intermediate V1 CA cert.
>>>
>>>> If so, I think the reason the test fails is because it's written in the
>>>> v1 age. So my suggestion is that if the trust anchor is v1, then we
>>>> wouldn't expect the other certs to obey any new rules. Otherwise, if
>>>> the
>>>> trust anchor is already v3, the validation should be conformed to the
>>>> latest RFC.
>>>>
>>> RFC5280 allows V1/V2 certificates, and specified how to handle version 1
>>> and version 2 intermediate CA cert. We can just reject them simply as
>>> the spec required. I just think we need to support the special case: key
>>> rollover.
>>>
>>>> In practical cases, is there a CA whose self-signed cert is v3, but it
>>>> issues a self-issued cert of v1?
>>>>
>>>>
>>> Many, many Verisign root certs are V1, and the intermediate cert are V3.
>>>
>>> Thanks,
>>> Andrew
>>>
>>>> Thanks
>>>> Max
>>>>
>>>>
