The following errata report has been held for document update for RFC6487, "A Profile for X.509 PKIX Resource Certificates".
-------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6854 -------------------------------------- Status: Held for Document Update Type: Technical Reported by: Corey Bonnell <[email protected]> Date Reported: 2022-02-16 Held by: John Scudder (IESG) Section: 4.8.1 Original Text ------------- The Basic Constraints extension field is a critical extension in the resource certificate profile, and MUST be present when the subject is a CA, and MUST NOT be present otherwise. The issuer determines whether the "cA" boolean is set. Corrected Text -------------- The Basic Constraints extension field is critical and MUST be present when the "cA" field is TRUE, otherwise it MUST NOT be present. Notes ----- See discussion at https://mailarchive.ietf.org/arch/msg/sidrops/dPCiDz_pDR68G4cTC8W7X5LTE5o/ The original text is tautological -- Since according to RFC 5280 ยง4.2.1.9 the "cA" boolean MUST be set when the subject is a CA, and MUST NOT be set when the subject is not a CA, then it's axiomatic that cA boolean set <=> Basic Constraints field present <=> subject is a CA Although the original text is not strictly speaking wrong, it's potentially misleading since it could be read as implying that it's possible to have the cA boolean FALSE in a CA certificate, which is not so. -------------------------------------- RFC6487 (draft-ietf-sidr-res-certs-22) -------------------------------------- Title : A Profile for X.509 PKIX Resource Certificates Publication Date : February 2012 Author(s) : G. Huston, G. Michaelson, R. Loomans Category : PROPOSED STANDARD Source : Secure Inter-Domain Routing Area : Routing Stream : IETF Verifying Party : IESG _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
