[cabfpub] A few technical details about the case by TURKTRUST
Chris Palmer
palmer at google.com
Tue Jan 8 18:28:29 UTC 2013
On Tue, Jan 8, 2013 at 9:48 AM, Phillip <philliph at comodo.com> wrote:
>> Question for the group: would it be a good idea to recommend it as a
>> best practice that intermediates issued for the purpose of issuing
>> end-entity certificates have a path length constraint? As I understand
>> it, if TurkTrust's intermediate which mis-issued this certs had had such
>> a constraint, the *.google.com and other certs created by the firewall
>> appliance would not have worked. Am I right?
>
> I was just about to suggest this as best practice. But it would be useful to know what the extent of browser/etc. support for constraint checking.
Ryan tells me that Chrome already does enforce path length constraints
if they are present.
I think we'd be happy to require that the path length constraint be
present, if the community agreed that it should be a requirement.
More information about the Public
mailing list