Paul Wouters <[email protected]> wrote: > https://tools.ietf.org/html/rfc4945#section-5
> ExecSum: Should a certificate with serverAuth marked Critical be
> rejected by IKE or not?
It depends upon how it arrives.
My position is that any certificate pinned into a config file should always
be valid, it's just a container for a public key.
If it arrives via a protocol, and must be validated, then all sorts of checks
are reasonable, but in general, I dislike checks that reject certificates
because they contain *more* than is expected.
I don't think it helps anyone, not even the lawyers, and contributes to
widespread (weak) PSK usage.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
