[cabfpub] Fwd: Re: [cabfrev] Must Staple Draft
Adam Langley
agl at google.com
Wed Oct 3 12:14:58 MST 2012
On Wed, Oct 3, 2012 at 3:10 PM, Carl Wallace <carl at redhoundsoftware.com> wrote:
> Unless you put the mustStaple OID in each certificate in the chain, this
> would be a significant change to the way certificate policies are
> processed.
Right, thank you. I thought there was some reason why we didn't want
to do it in the certificate policies and that was it.
> A better existing
> place for a mustStaple OID would be EKU (i.e., only use this key when it's
> accompanied by some stapled revocation data).
EKUs are processed in the same fashion. (Not in the PKIX standard, but
in CryptoAPI and, soon, NSS, at least.)
Cheers
AGL
More information about the Public
mailing list