Ok let me rephrase my original question: Why would someone trust a cert chain of length 3 less then they would a cert chain of length 2? I see software (like apache) that have a tunable acceptable-cert-chain-length parameter. Why wouldn't you just trust any cert chain length?
Because it's a great deal of work to properly check if intermediates on the chain have been revoked or not. So much work that it's rarely, if ever, done. Getting the CRL's (or finding the OCSP responder :) is hard, keeping them current is harder, etc.
/r$
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
