Mailing List Archive

From:: Lloyd <ng2d68@proton.me>
Subject:: Re: ikectl(8) CERTPATHLEN value
To:: Stuart Henderson <stu@spacehopper.org>
Cc:: "tech@openbsd.org" <tech@openbsd.org>
Date:: Wed, 29 Jan 2025 21:54:19 +0000

Download raw body.

Thread

2025-01-29 20:32 Lloyd:
ikectl(8) CERTPATHLEN value
- 2025-01-29 21:10 Stuart Henderson:
  ikectl(8) CERTPATHLEN value
- - 2025-01-29 21:54 Lloyd:
    ikectl(8) CERTPATHLEN value
  - - 2025-01-30 07:49 Stuart Henderson:
      ikectl(8) CERTPATHLEN value
    - - 2025-01-30 07:52 Theo Buehler:
        ikectl(8) CERTPATHLEN value

Stuart Henderson wrote:

> What's the benefit? I do see a downside to changing this.

It's more for correctness than anything. I don't see a use case
where the builtin ikectl CA would issue intermediate certificates
and issue end-entity certificates at the same level.

For complex two-tier PKI you are installing your own certs into
iked and not using the builtin CA.

2025-01-29 20:32 Lloyd:
ikectl(8) CERTPATHLEN value
- 2025-01-29 21:10 Stuart Henderson:
  ikectl(8) CERTPATHLEN value
- - 2025-01-29 21:54 Lloyd:
    ikectl(8) CERTPATHLEN value
  - - 2025-01-30 07:49 Stuart Henderson:
      ikectl(8) CERTPATHLEN value
    - - 2025-01-30 07:52 Theo Buehler:
        ikectl(8) CERTPATHLEN value