[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: How to restrict certification path length
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: How to restrict certification path length |
Date: |
Thu, 11 Jan 2007 11:41:28 +0100 |
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.92 (gnu/linux) |
Sascha Ziemann <address@hidden> writes:
> Hi,
>
> is it possible to specify the maximum certification path length in a
> configuration file for certtool? Internet explorer reports the path
> length of certificates made by certtool as unlimited.
>
> I have a Root CA, which signs an Issuer CA, and an Issuer CA , which
> signs client and server certificates. I would like to restrict the path
> length of the Root CA to two and the path length of the issuer CA to one
> in order to avoid any hacks made with the client or server certificates.
Hi! This is not possible today, but I implemented this in CVS.
Thanks for the suggestion! You can try CVS now, or tomorrow's daily
snapshot. Please let me know if/how it works. Here are the NEWS
entries:
** Certtool now print the value of the pathLenConstraints field for certs.
** Certtool now query for path length constraints when generating CA certs.
For batch uses, the certtool configuration name is "path_len".
Suggested by Sascha Ziemann <address@hidden>.
** Add new API to get/set pathLenConstraint in the Basic Constraints.
The new functions gnutls_x509_crt_get_basic_constraints and
gnutls_x509_crt_set_basic_constraints provide a superset of the
functionality in the old gnutls_x509_crt_get_ca_status and
gnutls_x509_crt_set_ca_status (respectively), but the old functions
will continue to be supported.
** API and ABI modifications:
gnutls_x509_crt_get_basic_constraints: ADD.
gnutls_x509_crt_set_basic_constraints: ADD.
/Simon