tincantech via Openvpn-users <[email protected]> writes:
> Easy-RSA is intending to change the default CA X509-type by including > the 'basicConstraint = critical' bit. > > New CAs and subCAs will include the following attribute: > > X509v3 extensions: > X509v3 Basic Constraints: critical > CA:TRUE > > This is due to python requirement VERIFY_X509_STRICT. > > While Easy-RSA already provides the option --bc-crit, which adds the > 'critical' bit to any new certificate, the folk from python are asking > that this become the absolute default for Easy-RSA CA/subCA certificates. > > No objections have been raised so far but we decided to ask, before the > hammer falls, if there are any demonstrable reasons to oppose this change? You said "absolute default" which is unusual wording. Do you really mean just "change the default", and someone could pass some flag like --bc-nocrit and get the current behavior, if they want? If so, that seems fine. Or do you mean that it will be impossible, without source coee editing, to get the old behavior? And if you do mean this, do you assert that zero actual people would ever have a reason to do this, even if you disagree with their judgement? _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
