[cabfpub] Fwd: Re: [cabfrev] Must Staple Draft
Adam Langley
agl at google.com
Wed Oct 3 14:18:05 UTC 2012
On Wed, Oct 3, 2012 at 9:37 AM, Paul Tiemann
<paul.tiemann.usenet at gmail.com> wrote:
> I don't like the name 'mustStaple' all that much because those words imply that the connection should be rejected completely if the client does not receive a staple.
That is what the semantics of the extension will be, so I believe that
mustStaple accurately reflects that.
> An extension that could contain multiple OID values would allow future
> expansion. Something like how the AIA extension can contain more
> than one item within it (CA Issuer, OCSP responder)
We already have a mechanism in place for extensions in a certificate.
Grouping these things together doesn't provide much benefit, but does
mean more complexity cost. The AIA extension is a good example: OCSP
responder and CA certificate pointers should have been separate X.509
extensions, allowing the generic X.509 parser to do the work. Grouping
them together just caused more code and hardly even makes sense: AIA
vaguely contains "external stuff to do with the issuing certificate",
but then doesn't include, say, the CPS or CRL pointers.
Cheers
AGL
More information about the Public
mailing list