Le 27/03/2014 11:14, Jeffrey Walton a écrit :
On Thu, Mar 27, 2014 at 5:47 AM, Stefan H. Holek <ste...@epy.co.at> wrote:
On 25.03.2014, at 17:44, Zack Williams wrote:
...
3. Is there a reason to not set a pathLen in the basicConstraints
section of the Root CA's (to 1, to allow a maximum of one layer of
CA's below the Root), but to do so on the Intermediate CA's?
Pathlen is not used on root CA certs. ...
RFC 5280 might disagree. For example, section 6.1.2 (k):
(k) max_path_length: this integer is initialized to n, is
decremented for each non-self-issued certificate in the path,
and may be reduced to the value in the path length constraint
field within the basic constraints extension of a CA
certificate.
No disagreement here.
Initial value of the max_path_len is set to the length of certificate
chain, and it's not taken from the BasicConstraints extension of the
trust anchor. The rest of the phrase (after the first comma) explains
how it will decrease, but it's detailed later in the algo.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
