On Thu, Mar 27, 2014 at 5:47 AM, Stefan H. Holek <ste...@epy.co.at> wrote:
> On 25.03.2014, at 17:44, Zack Williams wrote:
>
>> ...
>> 3. Is there a reason to not set a pathLen in the basicConstraints
>> section of the Root CA's (to 1, to allow a maximum of one layer of
>> CA's below the Root), but to do so on the Intermediate CA's?
>
> Pathlen is not used on root CA certs. ...
RFC 5280 might disagree. For example, section 6.1.2 (k):
(k) max_path_length: this integer is initialized to n, is
decremented for each non-self-issued certificate in the path,
and may be reduced to the value in the path length constraint
field within the basic constraints extension of a CA
certificate.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
