[prev in list] [next in list] [prev in thread] [next in thread]
List: ietf-tls
Subject: Re: [TLS] Proposed changes to draft-ietf-tls-subcerts
From: "Patton,Christopher J" <cjpatton () ufl ! edu>
Date: 2018-07-24 18:04:27
Message-ID: MWHPR22MB0461C41A5D7D67FDBE2427BAC6550 () MWHPR22MB0461 ! namprd22 ! prod ! outlook ! com
[Download RAW message or body]
Aww, I see your point. You're right, it should be that crit=true if and only if \
crit=true.
> Actually, what usecase do strict certificates serve anyway? I can not
> figure out any usecase that would make much sense to me. Dealing with
> server endpoints that are capable of LURK but not proof-of-possession
> nor is the keyserver capable of format-checking?
The point was to enforce that, if a delegation certificate is offered in a handshake, \
then a DC must be negotiated in that handshake. I wasn't actually there, but I'm told \
that this feature was brought up at IETF. It doesn't seem like there's a clean way to \
do this, and I'm not sure this feature is worth the added complexity.
I'm going to propose we drop the strict flag and let the critical bit be optional for \
the extension. What do you think?
-Chris
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} \
--></style> </head>
<body dir="ltr">
<div id="divtagdefaultwrapper" \
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" \
dir="ltr"> <p style="margin-top:0;margin-bottom:0">Aww, I see your point. You're \
right, it should be that crit=true if and only if crit=true.</p> <p \
style="margin-top:0;margin-bottom:0"><br> </p>
<p style="margin-top:0;margin-bottom:0">> Actually, what usecase do strict \
certificates serve anyway? I can not<br> </p>
<div style="">
<div class="BodyFragment" style="">
<div class="PlainText" style="">> figure out any usecase that would make much \
sense to me. Dealing with<br> > server endpoints that are capable of LURK but \
not proof-of-possession<br> > nor is the keyserver capable of \
format-checking?</div> <div class="PlainText" style=""><br>
</div>
<div class="PlainText" style="">The point was to enforce that, if a delegation \
certificate is offered in a handshake, then a DC must be negotiated in that \
handshake. I wasn't actually there, but I'm told that this feature was brought up at \
IETF. It doesn't seem like there's a clean way to do this, and I'm not sure this \
feature is worth the added complexity.<font size="2"></font></div> <div \
class="PlainText" style=""><br> </div>
<div class="PlainText" style="">I'm going to propose we drop the strict flag \
and let the critical bit be optional for the extension. What do you think?</div> \
<div class="PlainText" style=""><br> </div>
<div class="PlainText" style="">-Chris</div>
<font size="2"></font></div>
</div>
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic