On Thu, Oct 06, 2016 at 01:59:33PM +1100, Martin Thomson wrote: > On 6 October 2016 at 06:40, Ilari Liusvaara <ilariliusva...@welho.com> wrote: > > The only issue that comes to mind is where extensions that are specific > > to the certificate chain instead to the certificate go. > > Let's keep it simple. I would put these on the EE cert. That is the > entry that has the most chance of being looked at.
Yeah, if there is no separate slot, then EE cert slot is the most logical. Perhaps also put server_certificate_type/client_certificate_type there? That would eliminate the anomaly that one must know the server certificate type before sending the certiifcate. However, with client_certificate_type, one has to be careful, since server support also matters. So presumably one would have server send a list of supported formats. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
