* Ian Pilcher ([email protected]) wrote: > On 12/02/2013 02:17 PM, Tom Lane wrote: > > Ian Pilcher <[email protected]> writes: > >> Yes. And the problem is that there is no way to prevent OpenSSL from > >> accepting intermediate certificates supplied by the client. As a > >> result, the server cannot accept client certificates signed by one > >> intermediate CA without also accepting *any* client certificate that can > >> present a chain back to the root CA. > > > > Isn't that sort of the point?
Yes.
> I'm not sure what you're asking. The desired behavior (IMO) would be to
> accept client certificates signed by some intermediate CAs without
> accepting any client certificate that can present a chain back to the
> trusted root. This is currently not possible, mainly due to the way
> that OpenSSL works.
It's not possible because of the way certificate chains are *intended*
to work.. What you're asking for is something which was not a use-case
for certificates. Cross-organizational trusts were done through
'bridge' CAs, which then can have policies about what attributes are
allowed to pass through a bridge or be trusted from a not-our-root-CA.
Intermediate certificates are not the same thing and were never intended
to be used in the way you're asking for.
Thanks,
Stephen
signature.asc
Description: Digital signature
