On 25 Feb 2009, at 13:50, Frederick Hirsch wrote:
- 5.2 and 5.3 have an issue about additional algorithms. I suggest
just being silent about them.
ok to remove the issues?
To the extent to which these are about unspecified additional
algorithms, that's what I'm proposing. The second hash algorithm
question is separate, I think.
- In 4.4, we currently perform a dance around X.509 version numbers.
Thinking this through more thoroughly, it worries me that this came
up, for the following reason: You need an X.509 v3 extension to
express the basic constraints on a certificate. Without the basic
constraints extension, it is impossible to distinguish a CA
certificate from an end entity certificate. Which in turn suggests
that somebody might have inadvertently generated a CA certificate
instead of an end entity certificate... In other words, we shouldn't
ever see an end entity certificate that is X.509 v1 or v2. (And if
we
see one, it's a good idea to break it.)
so you suggest simplifying this to v3?
I suggest mandating v3 certificates, yes.
