Re: Trust intermediate CA for client certificates

* Ian Pilcher (arequipeno(at)gmail(dot)com) wrote:
> On 12/02/2013 02:17 PM, Tom Lane wrote:
> > Ian Pilcher <arequipeno(at)gmail(dot)com> writes:
> >> Yes. And the problem is that there is no way to prevent OpenSSL from
> >> accepting intermediate certificates supplied by the client. As a
> >> result, the server cannot accept client certificates signed by one
> >> intermediate CA without also accepting *any* client certificate that can
> >> present a chain back to the root CA.
> >
> > Isn't that sort of the point?

Yes.

> I'm not sure what you're asking. The desired behavior (IMO) would be to
> accept client certificates signed by some intermediate CAs without
> accepting any client certificate that can present a chain back to the
> trusted root. This is currently not possible, mainly due to the way
> that OpenSSL works.

It's not possible because of the way certificate chains are *intended*
to work.. What you're asking for is something which was not a use-case
for certificates. Cross-organizational trusts were done through
'bridge' CAs, which then can have policies about what attributes are
allowed to pass through a bridge or be trusted from a not-our-root-CA.
Intermediate certificates are not the same thing and were never intended
to be used in the way you're asking for.

Thanks,

Stephen