[Cryptography] Blue Coat has been issued a MITM encryption certificate

Viktor Dukhovni cryptography at dukhovni.org
Tue May 31 12:30:49 EDT 2016


On Tue, May 31, 2016 at 10:34:07AM -0400, Phillip Hallam-Baker wrote:

> For the benefit of us who can't remember, what is the effect of path-len 0?

In the specs and in OpenSSL it means that the CA can only issue EE
certificates, it cannot issue subsidiary intermediates.

I'd be suprised if other X.509 toolkits interpreted pathlen == 0
differently.  I would not be suprised to find toolkits that completely
ignore path length constraints, but don't know of any that do.
The extension should be "critical", which might help with those
toolkits that don't ignore unhandled critical extensions.

-- 
	Viktor.


More information about the cryptography mailing list