On 6/28/22 11:12 AM, Salz, Rich wrote:
With regard to PKIX certificates, the primary usage is in thecontext of the public key infrastructure described in {{5280}}. In addition, technologies such as DNS-Based Authentication of Named Entities (DANE) {{RFC6698}} sometimes use certificates based on PKIX (more precisely, certificates structured via {{X.509}} or specific encodings thereof such as {{X.690}}), at least in certain modes. Alternatively, a TLS peer could issue delegated credentials that are based on a CA-issued certificate, as in {{TLS-SUBCERTS}}. In both of these cases, a TLS client could learn of a service identity through its inclusion in the relevant certificate. The rules specified here are intended to apply whenever service identities are included in X.509 certificates or credentials that are derived from such certificates.s/are intended to// :)
Agreed.
s/are derived from/are derived from, or used to derive/ (subverts is the latter)
I think this is better: "The rules specified here apply whenever service identities are included in X.509 certificates, either directly or indirectly through credentials derived from such a certificate."
Peter _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
