On Thu, Jul 19, 2018 at 07:56:05PM +0000, Patton,Christopher J wrote: > So you think we need that the extension is marked critical if and > only if the strict flag is set? That wouldn't be ideal. Can you > explain your thinking? Which case presents a problem?
There are two types of clients: 1) Clients that do not know about DC. - These clients never use DC. - These do not understand the DC extension. - If you want non-strict certificate, it has to have critical=false on DC extension. - If you want strict certificate, it has to have critical=true on DC extension. 2) Clients that support DC. - These clients may or may not use DC. - These understand the DC extension. - As consequence, criticality of DC extension is ignored by X.509 rules. - So to specify if certificate is strict, you need a flag inside the extension. And in the end, the two flags always end up mirroring each other, but signifying different things. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
