On Thu, Jul 19, 2018 at 08:39:11PM +0000, Patton,Christopher J wrote: > > Now let's check the converse. Suppose that the crit=true. Is it valid > for strict to be false? Yes, because the extension being critical > only means that the client has to understand DC in order to accept > the certificate. But this doesn't mean they must negotiate a DC.
It might have well-defined technical meanining, but I consider it nonsensical. Because it means that if client does not understand DC, it must reject the certificate, but if client understands DC, it can accept it even in non-DC contexts. The other mismatch case also has well-defined technical meaning, it means that client that does not understand DC can use the certificate, but client that understands DC can only use it in DC context. I do not consider either of these two cases sensible. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
