On Mon, Sep 05, 2016 at 09:46:51PM +0000, Andrei Popov wrote: > > Do we need to make it this flexible? The idea was to avoid adding > complexity to the certificate filtering code in the TLS stack, and > instead filter by OIDs in the PKI library. PKI libraries already > inspect and match OID values, so this should be a relatively small > change for them.
Haven't found an answer to this yet... How are the OIDs encoded exactly? Does the value of 'certificate_extension_oid' include redundant OBJECT IDENTIFIER tag and length, or not? That is, is id-pe-nsa [1.3.6.1.5.5.7.1.23] (just to pick an example) in certificate_extension_oid field encoded as: 1) 2B 06 01 05 05 07 01 17 (no tag/length) 2) 06 08 2B 06 01 05 05 07 01 17 (tag/length included). ? -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
