Root CA certificate basicConstraint extension pathLenConstraint field SHOULD NOT be present #4729
Comments
|
So your contention is that |
|
I understand the baseline requirements in such a way that the At the moment, Botan is using a path length limit of one as default (for all CA certificates). I wonder if that is a good default because a value of one would allow only one level of CAs under the current CA certificate. Wouldn't it be better if there is by default no restriction at all? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
According to the baseline requirements the
pathLenConstraintfield should not be present for root CA certificates.Issue found with zlint.
https://github.com/zmap/zlint/blob/master/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go
The corresponding baseline requirements: https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.1.3.pdf (section 7.1.2.1)
The text was updated successfully, but these errors were encountered: