On 09/24/01 01:38 PM, Dr S N Henson sat at the `puter and typed:
> Well if the certificate is correctly encoded and pathlen is absent then
> it should interpret it as unlimited. This is specified in a number of
> places including RFC2459. If Netscape is doing otherwise then its a bug.
>
> I haven't seen that popup you mention before. If this standard Netscape
> 4.76 or PSM? I'd like to reproduce it and report it at some point.
Ok, after a quick test, it appears that leaving the pathlen constraint
out altogether will allow intermediate CAs in the chain (I only tested
one so far). My problem arose because the *default* in the
distributed openssl.cnf file specifies the pathlen as 0, meaning you
can only sign server or user certs, not intermediate CAs.
To be honest, it could be considered (as I mentioned in my previous
post) to be somewhat of a security hole. Of course the signer should
be deciding to sign a server cert or a CA explicitly, and should test
it afterward, but there is an opening for some human error to be
exploited at some point. Pretty thin, I know, but it should be
considered.
Looking at the root certs in ca-bundle.crt, distributed with mod_ssl,
the following root CAs do define a pathlen:
American Express Global Certificate Authority
Deutsche Telekom AG
GTE Corporation
All of them define it to be 5.
Interesting.
Regards
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net ԿԬ
Any sufficiently advanced technology is indistinguishable from magic.
-- Arthur C. Clarke
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
