On Fri, Jul 20, 2018 at 06:41:14PM +0000, Patton,Christopher J wrote: > > Thus, I believe the only valid configurations are:
Sanity check: If DC is not used, then either all clients accept, or all clients reject. > * strict=true, crit=true; Both reject. Satistifes the check. > * strict=false, crit=true; and Clients that support DC accept, clients that do not support DC reject. This fails the check above. > * strict=false, crit=false. Both accept. Satisfies the check. (The fourth, strict=true, crit=false, would also fail the check). Actually, what usecase do strict certificates serve anyway? I can not figure out any usecase that would make much sense to me. Dealing with server endpoints that are capable of LURK but not proof-of-possession nor is the keyserver capable of format-checking? The usecase for the X.509 extension to signal support is to signal the service the needed infrastructure for delegating subcertificates (including having LURK as standby). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
