Timeline for What are the new requirements for certificates in Chrome?
Current License: CC BY-SA 4.0
6 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Mar 15 at 17:00 | comment | added | Dagmar d'Surreal | Hmm... not quite. Chrome has no problem with X509 Basic Constraints with pathlen set to zero, so long as CA is set to something. True or false doesn't much matter, but without CA the pathlen can't be parsed correctly, and the relevant RFC has declared this shall always be untrustable. So... there's nothing "legit" about an invalid cert. | |
| Feb 1, 2023 at 20:19 | comment | added | Robert Chapin | @EbrahimGhasemi If a top-level CA is not controlled by the same party as a signed intermediate CA (which would be unusual) then the pathLenConstraint=0 policy could be used to prevent the intermediate CA from signing any CA certificates. I doubt this has much value as a security feature, and it is certainly irrelevant to the validation of end entity certificates. Google is getting so strict here that they are breaking legitimate certificate chains. | |
| Jan 31, 2023 at 19:20 | comment | added | Ebrahim Ghasemi | Dear Robert, do you have any idea what is the purpose of limiting the number of "child CAs" using the "PathLengthConstraint" in a certificate? Does it mitigate any specific attack or increase security in anyway? | |
| Jan 10, 2023 at 23:59 | history | edited | Robert Chapin | CC BY-SA 4.0 |
Using RFC jargon
|
| Jan 9, 2023 at 8:06 | vote | accept | Robert Chapin | ||
| Jan 9, 2023 at 8:06 | history | answered | Robert Chapin | CC BY-SA 4.0 |