On 09/18/2011 03:15 AM, Ralph Holz (TUM) wrote:
Hi,
does NSS check the pathlength extension in an issuing certificate?
yes.
I am particularly wondering if pathlen:0 is honoured.
According to the spec, which means no limit. NSS limits the size of the
total chain to prevent loop attacks, so in practice you can't have an
'infinite' pathlen, but our chain limit is quite large, and you are
likely to run into protocol issues using chains of that size.
If you really want pathlen of '0', then just set the isCA bit to FALSE;).
bob
Thanks,
Ralph
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
