Re: Question about pathlen extension checked

2011-09-20 Thread Ralph Holz (TUM)
Hi, Thanks for the replies, it's very much appreciated. It takes careful reading of RFC 3280 if you don't want to miss the crucial distinction between intermediate certificate on the path and certificate on the path - thanks for the highlighting. My conclusion from all this is that the many

RE: Question about pathlen extension checked

2011-09-20 Thread Ryan Sleevi
Subject: Re: Question about pathlen extension checked Hi, Thanks for the replies, it's very much appreciated. It takes careful reading of RFC 3280 if you don't want to miss the crucial distinction between intermediate certificate on the path and certificate on the path - thanks

Re: Question about pathlen extension checked

2011-09-19 Thread Robert Relyea
On 09/18/2011 03:15 AM, Ralph Holz (TUM) wrote: Hi, does NSS check the pathlength extension in an issuing certificate? yes. I am particularly wondering if pathlen:0 is honoured. According to the spec, which means no limit. NSS limits the size of the total chain to prevent loop attacks, so

RE: Question about pathlen extension checked

2011-09-19 Thread Ryan Sleevi
On 09/18/2011 03:15 AM, Ralph Holz (TUM) wrote: Hi, does NSS check the pathlength extension in an issuing certificate? yes. I am particularly wondering if pathlen:0 is honoured. According to the spec, which means no limit. NSS limits the size of the total chain to prevent loop

Re: Question about pathlen extension checked

2011-09-19 Thread Eddy Nigg
On 09/19/2011 08:34 PM, From Robert Relyea: If you really want pathlen of '0', then just set the isCA bit to FALSE;). Well wellNSS (or PSM) doesn't even accept an end user certificate with CA=TRUE as we found out recently. And that's very good IMO. -- Regards Signer: Eddy Nigg,

Re: Question about pathlen extension checked

2011-09-19 Thread Nelson B Bolyard
On 2011/09/18 03:15 PDT, Ralph Holz (TUM) wrote: does NSS check the pathlength extension in an issuing certificate? I am particularly wondering if pathlen:0 is honoured. Yes and Yes. NSS 3.12 claims compliance with RFC 3280. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Question about pathlen extension checked

2011-09-18 Thread Ralph Holz (TUM)
Hi, does NSS check the pathlength extension in an issuing certificate? I am particularly wondering if pathlen:0 is honoured. Thanks, Ralph -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

RE: Question about pathlen extension checked

2011-09-18 Thread ryan-mozdevtechcrypto
-mozdevtechcrypto=sleevi@lists.mozilla.org] On Behalf Of Ralph Holz (TUM) Sent: Sunday, September 18, 2011 6:15 AM To: mozilla-dev-tech-cry...@lists.mozilla.org Subject: Question about pathlen extension checked Hi, does NSS check the pathlength extension in an issuing certificate? I am