On Thu, Jan 30, 2025 at 07:49:36AM +0000, Stuart Henderson wrote:
> Sometimes you need to repurpose things for some use case that wasn't
> considered during original setup. Say you've got that cert installed on 20
> unmanaged laptops spread around the country/world and a new requirement
> comes up where an intermediate makes sense (for example, you want to issue
> device or user certs from another location,  ut don't want to give it the
> original CA key) - you'd be very happy not to have the restriction.
> 
> 
> It's just a ca. There's nothing specific to iked/ikectl here.
> 
> 
> If there was something that restricting this further actually helped then
> maybe it would be worth losing that flexibility, but I'm not seeing it.

Why does this need a pathlen constraint in the first place?