On 12/20/2012 11:20 AM, Ben Laurie wrote: > On 20 December 2012 09:50, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: >> - Having a thing with basicConstraints.cA==false issue precerts >> seems wrong, but that may be better discussed during IETF LC so >> I'm not requesting a change now. > > This was deliberate to avoid the precertificate being a > certificate, as requested by CAs.
Well it avoids the precert issuer being a CA. The precert is still syntactically a cert. And you need to use the precert issuer private key to make a precert. Some s/w might refuse if it saw that cert for the precert issuer that has .cA==false. No reason why you can't make it happen in principle, but I've no idea if needing s/w like that'd be a real barrier or not. S. > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey > > _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey