In addition, you could mandate that the extension can never be critical:
ext-trustAnchorIdentifier EXTENSION ::= {
SYNTAX TrustAnchorIdentifier
IDENTIFIED BY id-pe-trustAnchorIdentifier
CRITICALITY { FALSE } }
Russ
> On May 12, 2025, at 4:44 PM, Russ Housley <hous...@vigilsec.com> wrote:
>
> Please include a full ASN.1 module in the document that follows the RFC 5912
> conventions for defining extensions. I have attached it.
>
> I have assumed that the module identifier and the OID for the extension will
> be assigned from thr PKIX registries.
>
> Russ
>
> = = = = = = =
>
> <CODE BEGINS>
> TrustAnchorIdentifiers-2025
> { iso(1) identified-organization(3) dod(6) internet(1)
> security(5) mechanisms(5) pkix(7) id-mod(0)
> id-mod-TrustAnchorIdentifiers-2025(TBD1) }
>
> DEFINITIONS EXPLICIT TAGS ::=
> BEGIN
>
> IMPORTS
> EXTENSION
> FROM PKIX-CommonTypes-2009 -- From [RFC5912]
> { iso(1) identified-organization(3) dod(6)
> internet(1) security(5) mechanisms(5) pkix(7)
> id-mod(0) id-mod-pkixCommon-02(57) };
>
> -- Trust Anchor Identifiers Certificate Extension
>
> ext-TrustAnchorIdentifiers EXTENSION ::= {
> SYNTAX TrustAnchorIdentifier
> IDENTIFIED BY id-pe-trustAnchorIdentifier }
>
> id-pe-trustAnchorIdentifier OBJECT IDENTIFIER ::= { TBD2 }
>
> TrustAnchorIdentifier ::= RELATIVE-OID
>
> END
> <CODE ENDS>
>
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
