On 10/08/2017 20:14, Matthew Hardeman wrote:
Similarly, the cert at https://crt.sh/?id=92235998 has SAN dnsName of 

It has a normal 2 year validity period.

Which again sounds like a certificate administratively created to serve as a 
test point certificate for the root programs.

To me, these two facts indicate that Identitrust was being extra careful
about security and having a security mechanism that forced setting
pathlen constraints on all manually issued certificates (to prevent
omitting it from SubCA certificates).

This security-improving precaution unfortunately ran against a formal
rule in the BRs, thus forcing this issue.

I would hope that they have at least kept their original precaution for
CA:TRUE certificates.


Can anyone point out a real world X.509 framework that gets confused by
a redundant pathlen:0 in a CA:FALSE certificate?  (Merely to assess the
seriousness of the issue, given that the certificate was already


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to