On 17/11/16 18:41, Erwann Abalea wrote: > Another valid chain: > RootCA (subject: "C=UT, O=PerfectCA, CN=Root") > -> OnlineCA (subject: "C=UT, O=PerfectCA, CN=Online", pathLen=0) > -> OnlineCA (subject: "C=UT, O=PerfectCA, CN=Online", pathLen=0) <= this > is the self-issued cert, same name > -> EE > > Having a pathLen=0 doesn’t forbid you from creating a CA > certificate, it only forbids you from creating a CA certificate > for a different CA. This is defined in X.509 and repeated in RFC5280. > This behaviour is supported by OpenSSL, probably by Microsoft > (haven’t checked), I guess by Mozilla libPKIX but not Mozilla::pkix > (just quickly read the source).
Well, %$£&*. So an attacker can effectively leverage a SHA-1 collision into a cert which is equivalent to the issuing intermediate but for which they control the private key? Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
