Ian Pilcher <arequipeno@gmail.com> writes:
> Yes. And the problem is that there is no way to prevent OpenSSL from
> accepting intermediate certificates supplied by the client. As a
> result, the server cannot accept client certificates signed by one
> intermediate CA without also accepting *any* client certificate that can
> present a chain back to the root CA.
Isn't that sort of the point?
regards, tom lane