Bonjour, For security reasons, our online CAs have a critical BC extension with pathLenConstraint set to 0. For security+compliance reasons (RFC5280/X.509), our CA system doesn't allow for duplicate serial numbers under a CA, so we're going to issue a "Precertificate Signing Certificate" under our different issuing CAs for precertificate generation.
Of course, a compliant X.509 third party MUST fail to validate the precertificate (because of the pathLenConstraint=0 issuing something that acts as a CA without being declared as is). How will this case be handled by log servers? RFC6962 in section 3.1 states that "the log may relax standard validation rules to allow this, so long as the issued certificate will be valid", without any detail on relaxed rules. Will it be mandatory to re-issue pathLenConstraint=1 CA certificates and relax our security rules? -- Erwann.
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
