RE: CA hierarchy / pathlen:0

Thu, 22 Aug 2013 08:06:26 -0700 

>   certificate.)  A pathLenConstraint of zero indicates that no non-
>   self-issued intermediate CA certificates may follow in a valid
>   certification path.

Validation of the certification path is the responsibility of the relying party 
-- the recipient of data.

It is not safe to rely on the proper behavior of the signing parties.  It never 
was. OpenSSL is doing the right thing.

        /r$

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA



-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Peter1234
Sent: Thursday, August 22, 2013 9:00 AM
To: openssl-users@openssl.org
Subject: RE: CA hierarchy / pathlen:0

You misunderstand how it’s supposed to work.
OpenSSL does not prevent you from signing anything.  It can’t; for example, you 
could use other software and generate the signature.

Instead, when the recipient gets a certificate, and verifies the chain, it 
should reject the chain because the signing CA was not legitimate (pathlen 
exceeded).





Hi Rich, 

following lines are copied from RFC 5280:

   The pathLenConstraint field is meaningful only if the cA boolean is
   asserted and the key usage extension, if present, asserts the
   keyCertSign bit (Section 4.2.1.3).  In this case, it gives the
   maximum number of non-self-issued intermediate certificates that may
   follow this certificate in a valid certification path.  (Note: The
   last certificate in the certification path is not an intermediate
   certificate, and is not included in this limit.  Usually, the last
   certificate is an end entity certificate, but it can be a CA

I assumed openssl would conform to RFC standards and therefore I supposed that 
it takes care of pathlengths specified in CA certificates. 



--
View this message in context: 
http://openssl.6102.n7.nabble.com/CA-hierarchy-pathlen-0-tp46248p46288.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to