> This is awkward .. but with these two properties it works.. > > <property name="maxPathLength" value="3" /> > <property name="maxPathLengthAllowUnspecified" value="true" />
The naming might be a little confusing, but they are designed to be used together in some cases. Certain software issues CA certificates with a value of 2^32-1 for the PathLength basic constraint to indicate unspecified instead of omitting the field altogether per http://www.ietf.org/rfc/rfc2459.txt. This causes problems with PKIX validation in Java. The maxPathLengthAllowUnspecified flag overcomes these troubles by treating 2^32-1 as a special value equivalent to the field having been omitted. The maxPathLength attribute is for CA certificates that actually specify a meaningful PathLength constraint. M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
