Dr S N Henson wrote:
> Extensions are also used for security purposes, for example to indicate
> whether a certificate is a valid CA certificate and to prevent end user
> certificates being able to masquerade as CAs.
I would definitely consider the ability to constrain issued certificates
through extensions enough of a reason to flag v3 a "must-have".
At a glance, neither the X.509 nor the PKIX path validation algorithms
support any means save certificate extensions of constraining the
maximum valid length of a certification path.
Thus, I can only assume, there would seem to be no standardized,
portable way of preventing the end-user of a v1 cerificate using system
from issuing certificates to third parties using his end-user key, thus
surreptitiously promoting himself to an intermediate certification
authority. Nice money if you can get it, I guess. :-)
OpenSSL, IIRC, has the ability to introduce a 'maximum allowable path
length' into the path validation algorithm, but I'm unfortunately not
familiar with other toolkits.
//oscar
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
