RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 6487, "A Profile for X.509 PKIX Resource Certificates", February 2012

Note: This RFC has been updated by RFC 7318, RFC 8209

Source of RFC: sidr (rtg)

Errata ID: 6854
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT

Reported By: Corey Bonnell
Date Reported: 2022-02-16
Held for Document Update by: John Scudder
Date Held: 2022-05-24

Section 4.8.1 says:

   The Basic Constraints extension field is a critical extension in the
   resource certificate profile, and MUST be present when the subject is
   a CA, and MUST NOT be present otherwise.

   The issuer determines whether the "cA" boolean is set.

It should say:

   The Basic Constraints extension field is critical and MUST be present 
   when the "cA" field is TRUE, otherwise it MUST NOT be present.

Notes:

See discussion at https://mailarchive.ietf.org/arch/msg/sidrops/dPCiDz_pDR68G4cTC8W7X5LTE5o/

The original text is tautological -- Since according to RFC 5280 §4.2.1.9 the "cA" boolean MUST be set when the subject is a CA, and MUST NOT be set when the subject is not a CA, then it's axiomatic that

cA boolean set <=> Basic Constraints field present <=> subject is a CA

Although the original text is not strictly speaking wrong, it's potentially misleading since it could be read as implying that it's possible to have the cA boolean FALSE in a CA certificate, which is not so.

Report New Errata



Advanced Search