This seems resolved. I'll update the text to reflect that per-chain extensions should be included as extensions of the end-entity certificate. For RFC 7250 client/server_certificate_type values (such as X.509) that apply to the entire chain should be extensions of the EE cert.
The client_certificate_type extension sent from the server in RFC 7250 can go in either the encrypted extensions or the proposed CertificateRequest extension field, but that has no bearing on this proposal. On Thu, Oct 6, 2016 at 2:26 AM Martin Thomson <martin.thom...@gmail.com> wrote: > On 6 October 2016 at 17:42, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > Perhaps also put server_certificate_type/client_certificate_type > > there? That would eliminate the anomaly that one must know the > > server certificate type before sending the certiifcate. > > > Sounds like a perfect use for the CertificateRequest extension field, > for the client certificate anyway. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
