> Is it? I must admit that I regard RFC2560 as ambiguous in this and many
> other regards and I have to imply some "interpretation" on what should
> be done.
Yeah, it's surprising / disappointing how imprecise it is.
As Florian pointed out, 4.1.2 and 4.4 say either side can do anything
since none of the extensions are marked critical.
> Certificate verify is one example where things are particularly painful.
> The wording includes something equivalent to "you can accept and reject
> certificates for arbitrary additional reasons" or "you can do what the
> hell you like".
The RFC is somewhat schizophrenic. On the one hand, it details a
trust-chain model with key usage, cert extensions, etc. One might
suspect that those came from the authors associated with Entrust. On
the other hand, it also says "you might have out of band information so
we'll stay the hell out of the way." One might suspect that came from
folks involved with the creation of a certain financial services
consortium that was a closely-guarded secret at the time.
Or, you can just shrug and notice that the compromises make an unclean
fit. :)
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
