Alex Gaynor added the comment: For the use case of "I want to trust this CA, but I don't want to trust any of it's sub CAs" I think there's a simpler solution than expanding our API:
Create your own cross-sign of the root you want, and add a pathLenConstraint: 0 to the basicConstraints extension. By create a cross-sign, I mean a new certificate with the same subject/SPKI/SKI/other-extensions, but instead of being self-signed, sign it under some random private key you throw away. And then use that as your trust root, instead of the original certificate. This should work fine for validation. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue25115> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com