RE: Question about pathlen extension checked

2011-09-20 Thread Ryan Sleevi
org > Cc: mozilla's crypto code discussion list > Subject: Re: Question about pathlen extension checked > > Hi, > > Thanks for the replies, it's very much appreciated. It takes careful > reading of RFC 3280 if you don't want to miss the crucial distinction > between

Re: Question about pathlen extension checked

2011-09-20 Thread Ralph Holz (TUM)
Hi, Thanks for the replies, it's very much appreciated. It takes careful reading of RFC 3280 if you don't want to miss the crucial distinction between "intermediate certificate on the path" and "certificate on the path" - thanks for the highlighting. My conclusion from all this is that the man

Re: Question about pathlen extension checked

2011-09-19 Thread Nelson B Bolyard
On 2011/09/18 03:15 PDT, Ralph Holz (TUM) wrote: > does NSS check the pathlength extension in an issuing certificate? I am > particularly wondering if pathlen:0 is honoured. Yes and Yes. NSS 3.12 claims compliance with RFC 3280. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org h

Re: Question about pathlen extension checked

2011-09-19 Thread Eddy Nigg
On 09/19/2011 08:34 PM, From Robert Relyea: If you really want pathlen of '0', then just set the isCA bit to FALSE;). Well wellNSS (or PSM) doesn't even accept an end user certificate with CA=TRUE as we found out recently. And that's very good IMO. -- Regards Signer: Eddy Nigg, Start

RE: Question about pathlen extension checked

2011-09-19 Thread Ryan Sleevi
> > On 09/18/2011 03:15 AM, Ralph Holz (TUM) wrote: > > Hi, > > > > does NSS check the pathlength extension in an issuing certificate? > yes. > > I am particularly wondering if pathlen:0 is honoured. > According to the spec, which means no limit. NSS limits the size of the > total chain to preve

Re: Question about pathlen extension checked

2011-09-19 Thread Robert Relyea
On 09/18/2011 03:15 AM, Ralph Holz (TUM) wrote: Hi, does NSS check the pathlength extension in an issuing certificate? yes. I am particularly wondering if pathlen:0 is honoured. According to the spec, which means no limit. NSS limits the size of the total chain to prevent loop attacks, so i

RE: Question about pathlen extension checked

2011-09-18 Thread ryan-mozdevtechcrypto
sts.mozilla.org [mailto:dev-tech-crypto- > bounces+ryan-mozdevtechcrypto=sleevi@lists.mozilla.org] On Behalf > Of Ralph Holz (TUM) > Sent: Sunday, September 18, 2011 6:15 AM > To: mozilla-dev-tech-cry...@lists.mozilla.org > Subject: Question about pathlen extension checked > > Hi

Question about pathlen extension checked

2011-09-18 Thread Ralph Holz (TUM)
Hi, does NSS check the pathlength extension in an issuing certificate? I am particularly wondering if pathlen:0 is honoured. Thanks, Ralph -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto