RFC 6487, "A Profile for X.509 PKIX Resource Certificates", February 2012Source of RFC: sidr (rtg)
Errata ID: 6854
Status: Held for Document Update
Publication Format(s) : TEXT
Reported By: Corey Bonnell
Date Reported: 2022-02-16
Held for Document Update by: John Scudder
Date Held: 2022-05-24
Section 4.8.1 says:
The Basic Constraints extension field is a critical extension in the resource certificate profile, and MUST be present when the subject is a CA, and MUST NOT be present otherwise. The issuer determines whether the "cA" boolean is set.
It should say:
The Basic Constraints extension field is critical and MUST be present when the "cA" field is TRUE, otherwise it MUST NOT be present.
See discussion at https://mailarchive.ietf.org/arch/msg/sidrops/dPCiDz_pDR68G4cTC8W7X5LTE5o/
The original text is tautological -- Since according to RFC 5280 §18.104.22.168 the "cA" boolean MUST be set when the subject is a CA, and MUST NOT be set when the subject is not a CA, then it's axiomatic that
cA boolean set <=> Basic Constraints field present <=> subject is a CA
Although the original text is not strictly speaking wrong, it's potentially misleading since it could be read as implying that it's possible to have the cA boolean FALSE in a CA certificate, which is not so.