On Thu, May 04, 2017 at 01:26:02PM +0000, Natasha Rooney wrote: > > GSMA are working on future SIM specifications which use TLS and > previously included the trusted_ca_keys to allow a client to > inform a server which particular key(s) from a CA it is > supporting. In TLS 1.3 the ‘trusted_ca_keys’ extension is no > longer used. It does have the “certificate_authority” extension > however, but it seems to only identify the CA organisation by its > DistinguishedName. If the CA supports multiple keys – how can a > client point a particular cert/key of that CA?*
The certificate should have its own DN, use that. This doesn't fully solve designating by key, as multiple issuing CAs can share a key. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
