On Wed, May 17, 2017 at 12:28 PM, Gervase Markham <[email protected]> wrote:
> On 17/05/17 17:24, Ryan Sleevi via Public wrote: > > Would you (and Jeremy and Gerv) be receptive to including this in > > 3.2.2.4? > > I have no objection; although would it have an effect on achievable > implementation timelines? > Start with a SHOULD with a MUST timelines in the future :) > > There did not appear to be any objections raised on the list - simply a > > discussion related to policy OIDs versus an extension, but the the > > extension provides a semantically valid approach that minimizes any > > changes to CA infrastructure. > > People with more expertise than me can make the call as to which way to > do it :-) > Yeah, policy OID would require reissuing intermediates to be meaningful/effective/interoperable (e.g. Microsoft ADCS requires policy OIDs in leaves are contained within their issuing intermediate), whereas ADCS can be 'easily' extended (via ICertServerPolicy <https://msdn.microsoft.com/en-us/library/windows/desktop/aa387348(v=vs.85).aspx> extensions <https://msdn.microsoft.com/en-us/library/windows/desktop/aa388216(v=vs.85).aspx> - example code <https://msdn.microsoft.com/en-us/library/windows/desktop/aa387704(v=vs.85).aspx> )
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
