From: Stuart Henderson Subject: Re: ikectl(8) CERTPATHLEN value To: Theo Buehler Cc: Lloyd , tech@openbsd.org Date: Thu, 30 Jan 2025 09:20:08 +0000 On 2025/01/30 08:52, Theo Buehler wrote: > On Thu, Jan 30, 2025 at 07:49:36AM +0000, Stuart Henderson wrote: > > Sometimes you need to repurpose things for some use case that wasn't > > considered during original setup. Say you've got that cert installed on 20 > > unmanaged laptops spread around the country/world and a new requirement > > comes up where an intermediate makes sense (for example, you want to issue > > device or user certs from another location, ut don't want to give it the > > original CA key) - you'd be very happy not to have the restriction. > > > > > > It's just a ca. There's nothing specific to iked/ikectl here. > > > > > > If there was something that restricting this further actually helped then > > maybe it would be worth losing that flexibility, but I'm not seeing it. > > Why does this need a pathlen constraint in the first place? Good point. I would guess it was just copied from x509v3.cnf.