On 2025/01/30 08:52, Theo Buehler wrote:
> On Thu, Jan 30, 2025 at 07:49:36AM +0000, Stuart Henderson wrote:
> > Sometimes you need to repurpose things for some use case that wasn't
> > considered during original setup. Say you've got that cert installed on 20
> > unmanaged laptops spread around the country/world and a new requirement
> > comes up where an intermediate makes sense (for example, you want to issue
> > device or user certs from another location,  ut don't want to give it the
> > original CA key) - you'd be very happy not to have the restriction.
> > 
> > 
> > It's just a ca. There's nothing specific to iked/ikectl here.
> > 
> > 
> > If there was something that restricting this further actually helped then
> > maybe it would be worth losing that flexibility, but I'm not seeing it.
> 
> Why does this need a pathlen constraint in the first place?

Good point. I would guess it was just copied from x509v3.cnf.