On 09/24/01 01:38 PM, Dr S N Henson sat at the `puter and typed:
> Well if the certificate is correctly encoded and pathlen is absent then
> it should interpret it as unlimited. This is specified in a number of
> places including RFC2459. If Netscape is doing otherwise then its a bug.
> 
> I haven't seen that popup you mention before. If this standard Netscape
> 4.76 or PSM? I'd like to reproduce it and report it at some point.

Ok, after a quick test, it appears that leaving the pathlen constraint
out altogether will allow intermediate CAs in the chain (I only tested
one so far).  My problem arose because the *default* in the
distributed openssl.cnf file specifies the pathlen as 0, meaning you
can only sign server or user certs, not intermediate CAs.

To be honest, it could be considered (as I mentioned in my previous
post) to be somewhat of a security hole.  Of course the signer should
be deciding to sign a server cert or a CA explicitly, and should test
it afterward, but there is an opening for some human error to be
exploited at some point.  Pretty thin, I know, but it should be
considered.

Looking at the root certs in ca-bundle.crt, distributed with mod_ssl,
the following root CAs do define a pathlen:

American Express Global Certificate Authority
Deutsche Telekom AG
GTE Corporation

All of them define it to be 5.

Interesting.

Regards
Lou
-- 
Louis LeBlanc       [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net                 ԿԬ

Any sufficiently advanced technology is indistinguishable from magic.
    -- Arthur C. Clarke

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to