[I've cc'd this back to the list to correct my previous posting]
>>You shouldn't actually set the path length anyway, it's deprecated in the PKIX
>>profile, and there are no known implementations which use it. As a general
>>rule of thumb with fields in extensions, if you can't explain exactly why you
>>need it then it's probably a good idea not to use it (this eliminates about 50%
>>of all extension fields).
>I'm not sure I said what I meant there, I was referring to the
>pathLenConstraint part of basicConstraints. Is that deprecated? I can think of
>at least one good use for it... if a CA wants to issue a subordinate CA
>certificate but wants to prevent the subordinate from issuing further CA
>certificates.
Sorry, it's not deprecated - I was thinking of path constraints in
nameConstraints, not in basicConstraints.
Peter.
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
