[cabfpub] Fwd: Re: [cabfrev] Must Staple Draft
Rob Stradling
rob.stradling at comodo.com
Wed Oct 3 07:33:18 MST 2012
I wrote: "let's get the maximum benefit from it (without making it
unnecessarily complex, of course ;-) )."
I find myself persuaded (by Adam, Ryan and Ryan) that anything more
complex than as simple as possible is unnecessarily complex.
On 03/10/12 15:18, Adam Langley wrote:
> On Wed, Oct 3, 2012 at 9:37 AM, Paul Tiemann
> <paul.tiemann.usenet at gmail.com> wrote:
>> I don't like the name 'mustStaple' all that much because those words imply that the connection should be rejected completely if the client does not receive a staple.
>
> That is what the semantics of the extension will be, so I believe that
> mustStaple accurately reflects that.
>
>> An extension that could contain multiple OID values would allow future
>> expansion. Something like how the AIA extension can contain more
>> than one item within it (CA Issuer, OCSP responder)
>
> We already have a mechanism in place for extensions in a certificate.
> Grouping these things together doesn't provide much benefit, but does
> mean more complexity cost. The AIA extension is a good example: OCSP
> responder and CA certificate pointers should have been separate X.509
> extensions, allowing the generic X.509 parser to do the work. Grouping
> them together just caused more code and hardly even makes sense: AIA
> vaguely contains "external stuff to do with the issuing certificate",
> but then doesn't include, say, the CPS or CRL pointers.
>
>
> Cheers
>
> AGL
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list