Re: Call for testing: certctl, postinstall, TLS trust anchors

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: Call for testing: certctl, postinstall, TLS trust anchors
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Wed, 11 Oct 2023 19:08:09 +0000

Correcting a small error in the previous message:


> Date: Wed, 11 Oct 2023 18:47:02 +0000
> From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
> 
> Note: The formal PKIX language has a way for a CA certificate to
> express that the CA it represents is authorized to sign certificates
> for TLS server authentication.

Actually, it can't even express that, as far as I know.

The certificate can say it is authorized to sign certificates (basic
constraints: CA=TRUE, extended key usage: cert sign), or it is
authorized to authenticate TLS servers (extended key usage: server
auth).  But it can't say it is authorized to sign certificates only
for entities authorized to authenticate TLS servers.

That is, it can't be _restricted_ from doing that in the X.509
language, so _any_ CA can always sign certificates for _any_ purpose.

References:
- Re: Call for testing: certctl, postinstall, TLS trust anchors
  - From: Taylor R Campbell

Prev by Date: Re: Call for testing: certctl, postinstall, TLS trust anchors
Next by Date: daily CVS update output
Previous by Thread: Re: Call for testing: certctl, postinstall, TLS trust anchors
Next by Thread: kerberos issues with 10.0_BETA post openssl update
Indexes:

Home | Main Index | Thread Index | Old Index