> certificate.) A pathLenConstraint of zero indicates that no non-
> self-issued intermediate CA certificates may follow in a valid
> certification path.
Validation of the certification path is the responsibility of the relying party
-- the recipient of data.
It is not safe to rely on the proper behavior of the signing parties. It never
was. OpenSSL is doing the right thing.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
-----Original Message-----
From: [email protected] [mailto:[email protected]]
On Behalf Of Peter1234
Sent: Thursday, August 22, 2013 9:00 AM
To: [email protected]
Subject: RE: CA hierarchy / pathlen:0
You misunderstand how it’s supposed to work.
OpenSSL does not prevent you from signing anything. It can’t; for example, you
could use other software and generate the signature.
Instead, when the recipient gets a certificate, and verifies the chain, it
should reject the chain because the signing CA was not legitimate (pathlen
exceeded).
Hi Rich,
following lines are copied from RFC 5280:
The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit (Section 4.2.1.3). In this case, it gives the
maximum number of non-self-issued intermediate certificates that may
follow this certificate in a valid certification path. (Note: The
last certificate in the certification path is not an intermediate
certificate, and is not included in this limit. Usually, the last
certificate is an end entity certificate, but it can be a CA
I assumed openssl would conform to RFC standards and therefore I supposed that
it takes care of pathlengths specified in CA certificates.
--
View this message in context:
http://openssl.6102.n7.nabble.com/CA-hierarchy-pathlen-0-tp46248p46288.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
