Erwann Abalea <eaba...@gmail.com> writes: >Has this extension been de-obsoleted? It was already deprecated in RFC2459, >it's not even present in RFC5280 anymore.
Like other aspects of the web PKI (e.g. wildcard certs), this is one of the areas where you need to ignore what PKIX says and do what makes sense. I've tried to find out, on the PKIX list, what their objection to pKUP is, but was never able to get any kind of sensible answer beyond "you can't use it because we say you can't use it". It's actually an extremely useful extension for long-term signature verification where you have a key that's valid for (say) one year but want to verify a signature ten years in the future. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy