Hi Denis,
On Fri, Nov 20, 2009 at 06:45, Denis Pinkas <denis.pinkas at bull.net> wrote:
> The key point is that CA issue self-signed certificates *without*
> constraints
> in them, and it is up to the RPs or the TAS managers to decide which
> constraints
> should be used with a given self-signed certificate.
>
> These constraints will not be *within* the self-signed certificate but
> *outside*
> of it. TAMP does not allow supporting this case, but should be able to
> support it.
This is not accurate. To add these constraints to a self-signed
certificate *outside* of it, you use a TrustAnchorInfo structure:
TrustAnchorInfo ::= SEQUENCE {
version TrustAnchorInfoVersion DEFAULT v1,
pubKey SubjectPublicKeyInfo,
keyId KeyIdentifier,
taTitle TrustAnchorTitle OPTIONAL,
certPath CertPathControls OPTIONAL,
exts [1] EXPLICIT Extensions OPTIONAL,
taTitleLangTag [2] UTF8String OPTIONAL }
pubKey and keyId come from the certificate. The certPath field carries
both the self-signed certificate itself and the constraints you'd like
to impose:
CertPathControls ::= SEQUENCE {
taName Name,
certificate [0] Certificate OPTIONAL,
policySet [1] CertificatePolicies OPTIONAL,
policyFlags [2] CertPolicyFlags OPTIONAL,
nameConstr [3] NameConstraints OPTIONAL,
pathLenConstraint[4] INTEGER (0..MAX) OPTIONAL}
Other constraints (e.g. CCC) go in the exts field of TrustAnchorInfo.
Regards,
Geoff
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.