[cabfpub] A few technical details about the case by TURKTRUST

Gervase Markham gerv at mozilla.org
Wed Jan 9 11:35:32 UTC 2013

On 08/01/13 18:53, Ryan Sleevi wrote:
> Depends on which cert you're talking about having the
> pathLenConstraint. If we're talking about the existing TURKTRUST
> intermediate, then yes, it would have acted as a mitigation, since EE
> -> *.EGO -> TT-I -> TT-Root would have violated the pathLenConstraint
> of TT-I. However, if you're talking about putting it on the *.EGO,
> then no, it would not have worked.

Yes, I meant the TT intermediate.

> The failure mode of a client not observing pathLenConstraint is going
> to be failing open, so I don't see browser support as an argument
> against it.


> The other thing to consider is that these constraints do work
> retroactively for existing intermediate. They only apply when a CA
> issues a new intermediate - which is a very rare event to begin with.

Why should that be necessarily so? Is it simply the hassle of getting
the root key out of storage which means that CAs don't issue new
intermediates (for the purposes of end-entity issuance) say once a year?


More information about the Public mailing list