On Wed, Jul 18, 2018 at 01:17:44AM +0000, Patton,Christopher J wrote: > Hi all, > > > I've added a few pull requests to the draft "Delegated credentials for TLS" > that address the proposals discussed at IETF. > > Specifically: > > * https://github.com/tlswg/tls-subcerts/pull/8 -- Creates a tighter > binding of the DC to the handshake parameters; > * https://github.com/tlswg/tls-subcerts/pull/9 -- Permits mandatory > delegation-key isolation, addresses the proposed"must-use-DC" TLS feature > extension; > * https://github.com/tlswg/tls-subcerts/pull/10 -- drops support for TLS > 1.2. > > Comments on these changes are welcome; feel free to chime in on GitHub.
The way mandatory delegation-key usage is specified seems to violate how X.509 critical bit is supposed to work. The bit is not supposed to alter processing of recogized extensions, it is only supposed to alter processing of unrecognized extensions from ignore to reject. If you want to actually alter the processing to require such certificate to always only be used for DC, you need a flag somewhere else, which might be payload of the extension (and that extension should _also_ be marked critical to ensure that clients that do not understand DC do not accept it). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
