So you think we need that the extension is marked critical if and only if the strict flag is set? That wouldn't be ideal. Can you explain your thinking? Which case presents a problem?
________________________________ From: ilariliusva...@welho.com <ilariliusva...@welho.com> on behalf of Ilari Liusvaara <ilariliusva...@welho.com> Sent: Thursday, July 19, 2018 3:39 PM To: Patton,Christopher J Cc: Santosh Chokhani; tls@ietf.org Subject: Re: [TLS] Proposed changes to draft-ietf-tls-subcerts On Thu, Jul 19, 2018 at 07:04:31PM +0000, Patton,Christopher J wrote: > Thanks both of you for the feedback. > > > I've revised the PR: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_tlswg_tls-2Dsubcerts_pull_9&d=DwIBaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=VKs6yUchJieNTSwm3Abwfg&m=_AoKRFspNsT-b4Jjhi1qtaEQ7O68i_qvVS7Gwt9TkB0&s=fZWPg8E9BJ_dXERlQXMDWwzI0uzp5mFFkN9roNzSXpk&e= > > > There's now a "strict" flag that, if set, requires the server to > offer a DC. In Sec. 6.1, I describe why I think this is sufficient. > Let me know what you think! Ugh, it occurs to me that to have proper processing in all cases, including client that does not support DC and client that does and ignores criticality of supported extensions, you need to have critical flag and strict flag mirror each other. -Ilari
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
