shibboleth-dev - Follow-up to design call re: path length
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: Follow-up to design call re: path length
- Date: Mon, 28 Feb 2005 21:24:50 -0500
- Organization: The Ohio State University
It didn't occur to me at the time, but then I remembered that RFC 3280
already specifies a cert bit that controls the path length allowed from a
CA. It would be wrong for us to invent our own way of specifying the allowed
depth on a per-CA basis, that's just one of the million extensions involved
in PKIX processing.
See pathLenConstraint, http://www.faqs.org/rfcs/rfc3280.html Sec. 4.2.1.10
If you really buy off on this stuff, you're supposed to let the cert
machinery enforce all these rules, not impose them yourself. If you trust
the CA, it's because you trust what it allows, including the chain length.
I think Howard would agree, but that's also (I think) why he's arguing for
anything we build as a one-off that's not PKIX to be limited to one hop.
Either you're doing 3280 and your head probably explodes, or you're doing
something else, and doing chains at that point is probably overkill.
-- Scott
- Follow-up to design call re: path length, Scott Cantor, 02/28/2005
Archive powered by MHonArc 2.6.16.