Message 301975 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	Alex Gaynor
Recipients	Alex Gaynor, christian.heimes, gbremer, vstinner
Date	2017年09月12日.16:40:39
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1505234439.66.0.0586527991565.issue25115@psf.upfronthosting.co.za>

Content
For the use case of "I want to trust this CA, but I don't want to trust any of it's sub CAs" I think there's a simpler solution than expanding our API: Create your own cross-sign of the root you want, and add a pathLenConstraint: 0 to the basicConstraints extension. By create a cross-sign, I mean a new certificate with the same subject/SPKI/SKI/other-extensions, but instead of being self-signed, sign it under some random private key you throw away. And then use that as your trust root, instead of the original certificate. This should work fine for validation.

Content

For the use case of "I want to trust this CA, but I don't want to trust any of it's sub CAs" I think there's a simpler solution than expanding our API:
Create your own cross-sign of the root you want, and add a pathLenConstraint: 0 to the basicConstraints extension.
By create a cross-sign, I mean a new certificate with the same subject/SPKI/SKI/other-extensions, but instead of being self-signed, sign it under some random private key you throw away. And then use that as your trust root, instead of the original certificate.
This should work fine for validation.

History
Date	User	Action	Args
2017年09月12日 16:40:39	Alex Gaynor	set	recipients: + Alex Gaynor, vstinner, christian.heimes, gbremer
2017年09月12日 16:40:39	Alex Gaynor	set	messageid: <1505234439.66.0.0586527991565.issue25115@psf.upfronthosting.co.za>
2017年09月12日 16:40:39	Alex Gaynor	link	issue25115 messages
2017年09月12日 16:40:39	Alex Gaynor	create

homepage