-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/10/2012 11:34 PM, Thomas Kluge wrote: > I support this as part of basic, but is should be optional.
I now think that this should be done in a separate I-D (let's not wake the RELOAD authors up from their cryogenic statis before October 22nd :-) ), in the same way that RFC 5924 was done. > Implementors may either ignore this extended key usage or check for it, but > should never reject it if it's part of the certificate. Hmmm. What I would propose then is to define a mandatory-extension. Overlay with a configuration file containing this element MUST check for the EKU and accept/reject the certificate based on a text similar to RFC 2924 section 5. If the mandatory-extension is not present, then everything will work as it is today. If there is no disagreement, I'll prepare an Internet-Draft. I already talked to the PKIX people about the process to allocate a new EKU, but I'll allocate a provisional one in my PEN for experimentation purpose. Thanks. - -- Marc Petit-Huguenin Email: [email protected] Blog: http://blog.marc.petit-huguenin.org Profile: http://www.linkedin.com/in/petithug -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQUKjoAAoJECnERZXWan7EecwQAKMgcsDQ+YBSFO27OnYaO0C3 VZN7ZZes48Qh8GN04ZtpjWXYL2rHSu4tn/eIR28U65oqqWlBzOTM1jrTqs7tii6v B7YTtqfVf6lM3ovrGZUotNZl+M+qz05hpqIk0XUObkcmm/64sMTyOZzydEjgSwKZ cKdmclaMayShznhD6qcmKk6QiRv8GAWwAO+JlPS5mt7wZXHf7ccFNtoVDsLWzY7L JwXuU3j1AxNPXoQHCdfhUHoi8wZHlTc3WW02zB0OACTc0EXL+/ZYmhLtGkeL5wiL HVzriEqjNngr6F5IKn94U70prgqllGOVDBQ7qKsOIam9qlkCl9ep1h+xHsj6NuzR Qa+LwMx13Xyu6ZpKIW6bpymWbalGa6Oh2x427usuNvPKEYFlukq5mGezGpw48IBv YiSKNEV9gEp0JHFpoQfOjHHjB+LQy6gwavXWvBlX9djkupMID+Jbbc4LB1luN1Eq g8ZhPSEelW+h4bMOBS5EZDQyGICcJwwNn9BYzktTKyGQJC3GgHBnJolCky6vGrGW AHWZaV6h4gy8gsHh4T9qHOvMEYJmxQW/Cjk4vjzB++0F9iE2l/44VOBlgDNO9pPC cadIUrRwsm8tNyTmaDT0G9wnxRDNNoyWlCWIF6p73P2XBMiX3U4nUoZBCn91/ehN 7oVNIdAHv/ZTP/Y0Xyvf =L6tg -----END PGP SIGNATURE----- _______________________________________________ P2PSIP mailing list [email protected] https://www.ietf.org/mailman/listinfo/p2psip
