From: Lloyd <ng2d68@proton.me>
Subject: Re: ikectl(8) CERTPATHLEN value
To: Stuart Henderson <stu@spacehopper.org>
Cc: "tech@openbsd.org" <tech@openbsd.org>
Date: Wed, 29 Jan 2025 21:54:19 +0000

Stuart Henderson wrote:

> What's the benefit? I do see a downside to changing this.

It's more for correctness than anything. I don't see a use case
where the builtin ikectl CA would issue intermediate certificates
and issue end-entity certificates at the same level.

For complex two-tier PKI you are installing your own certs into
iked and not using the builtin CA.